Beyond Linux® From Scratch (System V Edition)

Version 9.1

The BLFS Development Team

Copyright © 2001-2020, The BLFS Development Team

All rights reserved.

This book is licensed under a Creative Commons License.

Computer instructions may be extracted from the book under the MIT License.

Linux® is a registered trademark of Linus Torvalds.

Published 2020-03-01

Revision History
Revision 9.1 2020-03-01 Twenty-first release
Revision 9.0 2019-09-01 Twentieth release
Revision 8.4 2019-03-01 Nineteenth release
Revision 8.3 2018-09-01 Eighteenth release
Revision 8.2 2018-03-02 Seventeenth release
Revision 8.1 2017-09-01 Sixteenth release
Revision 8.0 2017-02-25 Fifteenth release
Revision 7.10 2016-09-07 Fourteenth release
Revision 7.9 2016-03-08 Thirteenth release
Revision 7.8 2015-10-01 Twelfth release
Revision 7.7 2015-03-06 Eleventh release
Revision 7.6 2014-09-23 Tenth release
Revision 7.5 2014-03-05 Ninth release
Revision 7.4 2013-09-14 Eighth release
Revision 6.3 2008-08-24 Seventh release
Revision 6.2 2007-02-14 Sixth release
Revision 6.1 2005-08-14 Fifth release
Revision 6.0 2005-04-02 Fourth release
Revision 5.1 2004-06-05 Third release
Revision 5.0 2003-11-06 Second release
Revision 1.0 2003-04-25 First release

Abstract

This book follows on from the Linux From Scratch book. It introduces and guides the reader through additions to the system including networking, graphical interfaces, sound support, and printer and scanner support.


Dedication

This book is dedicated to the LFS community

Table of Contents

Preface

Having helped out with Linux From Scratch for a short time, I noticed that we were getting many queries as to how to do things beyond the base LFS system. At the time, the only assistance specifically offered relating to LFS were the LFS hints (http://www.linuxfromscratch.org/hints). Most of the LFS hints are extremely good and well written but I (and others) could still see a need for more comprehensive help to go Beyond LFS - hence BLFS.

BLFS aims to be more than the LFS-hints converted to XML although much of our work is based around the hints and indeed some authors write both hints and the relevant BLFS sections. We hope that we can provide you with enough information to not only manage to build your system up to what you want, whether it be a web server or a multimedia desktop system, but also that you will learn a lot about system configuration as you go.

Thanks as ever go to everyone in the LFS/BLFS community; especially those who have contributed instructions, written text, answered questions and generally shouted when things were wrong!

Finally, we encourage you to become involved in the community; ask questions on the mailing list or news gateway and join in the fun on #lfs at irc.linuxfromscratch.org. You can find more details about all of these in the Introduction section of the book.

Enjoy using BLFS.

Mark Hymers
markh <at> linuxfromscratch.org
BLFS Editor (July 2001–March 2003)

I still remember how I found the BLFS project and started using the instructions that were completed at the time. I could not believe how wonderful it was to get an application up and running very quickly, with explanations as to why things were done a certain way. Unfortunately, for me, it wasn't long before I was opening applications that had nothing more than "To be done" on the page. I did what most would do, I waited for someone else to do it. It wasn't too long before I am looking through Bugzilla for something easy to do. As with any learning experience, the definition of what was easy kept changing.

We still encourage you to become involved as BLFS is never really finished. Contributing or just using, we hope you enjoy your BLFS experience.

Larry Lawrence
larry <at> linuxfromscratch.org
BLFS Editor (March 2003–June 2004)

The BLFS project is a natural progression of LFS. Together, these projects provide a unique resource for the Open Source Community. They take the mystery out of the process of building a complete, functional software system from the source code contributed by many talented individuals throughout the world. They truly allow users to implement the slogan "Your distro, your rules."

Our goal is to continue to provide the best resource available that shows you how to integrate many significant Open Source applications. Since these applications are constantly updated and new applications are developed, this book will never be complete. Additionally, there is always room for improvement in explaining the nuances of how to install the different packages. To make these improvements, we need your feedback. I encourage you to participate on the different mailing lists, news groups, and IRC channels to help meet these goals.

Bruce Dubbs
bdubbs <at> linuxfromscratch.org
BLFS Editor (June 2004–December 2006)

My introduction to the [B]LFS project was actually by accident. I was trying to build a GNOME environment using some how-tos and other information I found on the web. A couple of times I ran into some build issues and Googling pulled up some old BLFS mailing list messages. Out for curiosity, I visited the Linux From Scratch web site and shortly thereafter was hooked. I've not used any other Linux distribution for personal use since.

I can't promise anyone will feel the sense of satisfaction I felt after building my first few systems using [B]LFS instructions, but I sincerely hope that your BLFS experience is as rewarding for you as it has been for me.

The BLFS project has grown significantly the last couple of years. There are more package instructions and related dependencies than ever before. The project requires your input for continued success. If you discover that you enjoy building BLFS, please consider helping out in any way you can. BLFS requires hundreds of hours of maintenance to keep it even semi-current. If you feel confident enough in your editing skills, please consider joining the BLFS team. Simply contributing to the mailing list discussions with sound advice and/or providing patches to the book's XML will probably result in you receiving an invitation to join the team.

Randy McMurchy
randy <at> linuxfromscratch.org
BLFS Editor (December 2006–January 2011)

Foreword

This version of the book is intended to be used when building on top of a system built using the LFS book. Every effort has been made to ensure accuracy and reliability of the instructions. Many people find that using the instructions in this book after building the current stable or development version of LFS provides a stable and very modern Linux system.

Enjoy!

Randy McMurchy
August 24th, 2008

Last updated on 2016-04-17 13:16:17 -0700

Who Would Want to Read this Book

This book is mainly aimed at those who have built a system based on the LFS book. It will also be useful for those who are using other distributions, but for one reason or another want to manually build software and are in need of some assistance. Note that the material contained in this book, in particular the dependency listings, is based upon the assumption that you are using a base LFS system with every package listed in the LFS book already installed and configured. BLFS can be used to create a range of diverse systems and so the target audience is probably nearly as wide as that of the LFS book. If you found LFS useful, you should also like this!

Last updated on 2015-09-20 15:38:20 -0700

Organization

This book is divided into the following parts.

Part I - Introduction

This part contains information which is essential to the rest of the book.

Part II - Post LFS Configuration and Extra Software

Here we introduce basic configuration and security issues. We also discuss a range of editors, file systems, and shells which aren't covered in the main LFS book.

Part III - General Libraries and Utilities

In this section we cover libraries which are often needed by the rest of the book as well as system utilities. Information on Programming (including recompiling GCC to support its full range of languages) concludes this part.

Part IV - Basic Networking

Here we cover how to connect to a network when you aren't using the simple static IP setup given in the main LFS book. Networking libraries and command-line networking tools are also covered here.

Part V - Servers

Here we deal with setting up mail and other servers (such as SSH, Apache, etc.).

Part VI - X + Window Managers

This part explains how to set up a basic X Window System installation along with some generic X libraries and Window managers.

Part VII - KDE

For those who want to use the K Desktop Environment or some parts of it, this part covers it.

Part VIII - GNOME

GNOME is the main alternative to KDE in the Desktop Environment arena.

Part IX - Xfce

Xfce is a lightweight alternative to GNOME and KDE.

Part X - X Software

Office programs and graphical web browsers are important to most people. They, along with some generic X software can be found in this part of the book.

Part XI - Multimedia

Here we cover setting multimedia libraries and drivers along with some audio, video and CD-writing programs.

Part XII - Printing, Scanning and Typesetting (PST)

The PST part of the book covers document handling with applications like Ghostscript, CUPS and DocBook to installing texlive.

Appendices

The Appendices cover information which doesn't belong in the main book; they are mainly there as a reference.

Last updated on 2015-09-20 15:38:20 -0700

Part I. Introduction

Chapter 1. Welcome to BLFS

The Beyond Linux From Scratch book is designed to carry on from where the LFS book leaves off. But unlike the LFS book, it isn't designed to be followed straight through. Reading the Which sections of the book? part of this chapter should help guide you through the book.

Please read most of this part of the book carefully as it explains quite a few of the conventions used throughout the book.

Which Sections of the Book Do I Want?

Unlike the Linux From Scratch book, BLFS isn't designed to be followed in a linear manner. This is because LFS provides instructions on how to create a base system which is capable of turning into anything from a web server to a multimedia desktop system. BLFS attempts to guide you in the process of going from the base system to your intended destination. Choice is very much involved.

Everyone who reads the book will want to read certain sections. The Introduction part, which you are currently reading, contains generic information. Especially take note of the information in Chapter 2, Important Information, as this contains comments about how to unpack software, issues related to using different locales and various other aspects which apply throughout the book.

The part on Post LFS Configuration and Extra Software is where most people will want to turn next. This deals with not just configuration but also Security (Chapter 4, Security), File Systems (Chapter 5, File Systems and Disk Management), Editors (Chapter 6, Editors) and Shells (Chapter 7, Shells). Indeed, you may wish to reference certain parts of this chapter (especially the sections on Editors and File Systems) while building your LFS system.

Following these basic items, most people will want to at least browse through the General Libraries and Utilities part of the book. This part contains information on many items which are prerequisites for other sections of the book as well as some items (such as Chapter 13, Programming) which are useful in their own right. Note that you don't have to install all of these libraries and packages found in this part to start with as each BLFS installation procedure tells you which packages it depends upon so you can choose the program you want to install and see what it needs.

Likewise, most people will probably want to look at the Networking part. It deals with connecting to the Internet or your LAN (Chapter 14, Connecting to a Network) using a variety of methods such as DHCP and PPP, and with items such as Networking Libraries (Chapter 17, Networking Libraries) and various basic networking programs and utilities.

Once you have dealt with these basics, you may wish to configure more advanced network services. These are dealt with in the Servers part of the book. Those wanting to build servers should find a good starting point there. Note that this section also contains information on various database packages.

The next parts of the book principally deal with desktop systems. This portion of the book starts with a part talking about X plus Window and Display Managers. This part also deals with some generic X-based libraries (Chapter 25, X Libraries). After this, KDE and GNOME are given their own parts which are followed by one on X Software.

The book then moves on to deal with Multimedia packages. Note that many people may want to use the ALSA-1.2.1 instructions from this chapter quite near the start of their BLFS journey; they are placed here simply because it is the most logical place for them.

The final part of the main BLFS book deals with Printing, Scanning and Typesetting. This is useful for most people with desktop systems and even those who are creating mainly server systems will find it useful.

We hope you enjoy using BLFS and find it useful.

Last updated on 2012-12-19 11:57:20 -0800

Conventions Used in this Book

Typographical Conventions

To make things easy to follow, there are a number of conventions used throughout the book. Following are some examples:

./configure --prefix=/usr

This form of text is designed to be typed exactly as seen unless otherwise noted in the surrounding text. It is also used to identify references to specific commands.

install-info: unknown option
`--dir-file=/mnt/lfs/usr/info/dir'

This form of text (fixed width text) is showing screen output, probably a result from issuing a command. It is also used to show filenames such as /boot/grub/grub.conf

Emphasis

This form of text is used for several purposes in the book but mainly to emphasize important points or to give examples as to what to type.

http://www.linuxfromscratch.org/

This form of text is used for hypertext links external to the book such as HowTos, download locations, websites, etc.

SeaMonkey-2.53.1

This form of text is used for links internal to the book such as another section describing a different package.

cat > $LFS/etc/group << "EOF"
root:x:0:
bin:x:1:
......
EOF

This type of section is used mainly when creating configuration files. The first command (in bold) tells the system to create the file $LFS/etc/group from whatever is typed on the following lines until the sequence EOF is encountered. Therefore, this whole section is generally typed as seen.

<REPLACED TEXT>

This form of text is used to encapsulate text that should be modified and is not to be typed as seen, or copy and pasted. Note that the square brackets are not part of the text, but should be substituted for as well.

root

This form of text is used to show a specific system user or group reference in the instructions.

Conventions Used for Package Dependencies

When packages are created, the authors depend on prior work. In order to build a package in BLFS, these dependencies must be built prior to the desired package. For each package, any prerequisite packages are listed in one or more separate sections: Required, Recommended, and Optional.

Required Dependencies

These dependencies are the minimum prerequisite packages required to build the package. Omitted from the list are packages in LFS and required dependencies of other required packages.

Recommended Dependencies

These dependencies are those that the BLFS editors have determined are important to give the package reasonable capabilities. Package installation instructions assume they are installed. If a recommended package is not desired, the instructions may need to be modified to accommodate the missing package.

Optional Dependencies

These dependencies are those that the package may use. Integration of optional dependencies may be automatic by the package or may need additional instructions not presented by BLFS. Optional packages may be listed without corresponding BLFS instructions. In this case it is up to the user to determine appropriate installation instructions.

Conventions Used for Kernel Configuration Options

Some packages have specific needs regarding the kernel configuration. The general layout is the following:

Master section --->
  Subsection --->
    [*]     Required parameter                     [CONFIG_REQU_PAR]
    <*>     Required parameter (not as module)     [CONFIG_REQU_PAR_NMOD]
    <*/M>   Required parameter (could be a module) [CONFIG_REQU_PAR_MOD]
    <*/M/ > Optional parameter                     [CONFIG_OPT_PAR]
    [ ] Incompatible parameter                     [CONFIG_INCOMP_PAR]
    < > Incompatible parameter (even as module)    [CONFIG_INCOMP_PAR_MOD]

[CONFIG_...] on the right gives the name of the option, so you can easily check whether it is set in your config file. The meaning of the various entries is:

Master section top level menu item
Subsection submenu item
Required parameter the option could be either built-in or not selected: it must be selected
Required parameter (not as module) the option could be either built-in, module, or not selected: it must be selected as built-in
Required parameter (could be a module) the option could be either built-in, module, or not selected: it must be selected, either as built-in or module
Optional parameter rarely used: the option could be either built-in, module, or not selected: it may be selected at will
Incompatible parameter the option could be either built-in or not selected: it must not be selected
Incompatible parameter (even as module) the option could be either built-in, module, or not selected: it must not be selected

Note that, depending on other selections, the angle brackets (<>) may appear as braces ({}), if the option cannot be unselected, or even dashes (-*- or -M-), when the choice is imposed. The help text about the option specifies the other selections on which this option relies, and how those other selections are set.

SBU values in BLFS

As in LFS, each package in BLFS has a build time listed in Standard Build Units (SBUs). These times are relative to the time it took to build binutils in LFS and are intended to provide some insight into how long it will take to build a package. Most times listed are for a single processor or core to build the package. In some cases, large, long running builds tested on multi-core systems have SBU times listed with comments such as '(parallelism=4)'. These values indicate testing was done using multiple cores. Note that while this speeds up the build on systems with the appropriate hardware, the speedup is not linear and to some extent depends on the individual package and specific hardware used.

For packages which use ninja (e.g. anything using meson) or rust, by default all cores are used so similar comments will be seen on such packages even when the build time is minimal.

Where even a parallel build takes more than 15 SBU, on certain machines the time may be considerably greater even when the build does not use swap. In particular, different micro-architectures will build some files at different relative speeds and this can introduce delays when certain make targets wait for another file to be created. Where a large build uses a lot of C++ files, processors with Simultaneous Multi Threading will share the Floating Point Unit and can take 45% longer than when using four 'prime' cores (measured on an intel i7 using taskset and keeping the other cores idle).

Some packages do not support parallel builds and using -j1 for the make command is required. Packages that are known to have such limits are marked as such in the text.

Last updated on 2018-09-23 10:06:59 -0700

Book Version

This is BLFS-BOOK version 9.1 dated March 1st, 2020. This is the 9.1 branch of the BLFS book, currently targeting the LFS 9.1 book. For development versions, if this version is older than a month, it's likely that your mirror hasn't been synchronized recently and a newer version is probably available for download or viewing. Check one of the mirror sites at http://www.linuxfromscratch.org/mirrors.html for an updated version.

Last updated on 2016-04-17 13:16:17 -0700

Mirror Sites

The BLFS project has a number of mirrors set up world-wide to make it easier and more convenient for you to access the website. Please visit the http://www.linuxfromscratch.org/mirrors.html website for the list of current mirrors.

Last updated on 2007-04-04 12:42:53 -0700

Getting the Source Packages

Within the BLFS instructions, each package has two references for finding the source files for the package—an HTTP link and an FTP link (some packages may only list one of these links). Every effort has been made to ensure that these links are accurate. However, the World Wide Web is in continuous flux. Packages are sometimes moved or updated and the exact URL specified is not always available.

To overcome this problem, the BLFS Team, with the assistance of Oregon State University Open Source Lab, has made an HTTP/FTP site available through world wide mirrors. See http://www.linuxfromscratch.org/blfs/download.html#sources for a list. These sites have all the sources of the exact versions of the packages used in BLFS. If you can't find the BLFS package you need at the listed addresses, get it from these sites.

We would like to ask a favor, however. Although this is a public resource for you to use, please do not abuse it. We have already had one unthinking individual download over 3 GB of data, including multiple copies of the same files that are placed at different locations (via symlinks) to make finding the right package easier. This person clearly did not know what files he needed and downloaded everything. The best place to download files is the site or sites set up by the source code developer. Please try there first.

Last updated on 2017-02-11 20:17:33 -0800

Change Log

Current release: 9.1 – March 1st, 2020

Changelog Entries:

  • March 1st, 2020

    • [bdubbs] - Release of BLFS-9.1.

  • February 29th, 2020

    • [renodr] - Update to seamonkey-2.53.1. This has security fixes from several previous versions of firefox, and is a recommended upgrade. Fixes #13202.

  • February 28th, 2020

    • [ken] - Add libXpresent as external optional dependency for xfwm4.

  • February 27th, 2020

    • [renodr] - Update to epiphany-3.34.4. Fixes #13138.

    • [renodr] - Update to gnome-disk-utility-3.34.4. Fixes #13148.

    • [renodr] - Update to file-roller-3.32.4. Fixes #13142.

    • [renodr] - Update to evolution-3.34.4. Fixes #13135.

    • [renodr] - Update to gnome-control-center-3.34.4. Fixes #13129.

    • [renodr] - Update to mutter-3.34.4. Fixes #13149.

    • [renodr] - Update to gnome-shell-3.34.4. Fixes #13150>.

  • February 26th, 2020

    • [renodr] - Update to evolution-data-server-3.34.4. Part of #13135.

    • [renodr] - Update to tracker-2.3.2. Part of #13167.

    • [renodr] - Update to dconf-editor-3.34.4. Fixes #13132.

    • [renodr] - Add test instructions back to folks now that the test suite has been restored.

    • [renodr] - Update to tracker-miners-2.3.2. Fixes #13167.

  • February 25th, 2020

    • [renodr] - Update to grilo-0.3.12. Fixes #13137.

    • [renodr] - Update to gnome-desktop-3.34.4. Fixes #13153.

    • [renodr] - Update to gjs-1.58.5. Fixes #13157.

    • [renodr] - Update to WebkitGTK+-2.26.4. Fixes #13136.

  • February 22nd, 2020

    • [ken] - Update to gimp-2.10.18 (bugfix for corruption of large xcf files in 2.10.16). Fixes #13180.

    • [renodr] - Fix the build of cspctl in alsa-tools.

  • February 21st, 2020

    • [ken] - Update to gimp-2.10.16. Fixes #13169.

    • [ken] - Update to gegl-0.4.22. Fixes #13163.

  • February 20th, 2020

    • [ken] - Update to node-js-12.16.1. Fixes #13162.

  • February 19th, 2020

    • [bdubbs] - Update to plasma5-5.18.1. Fixes #13166.

    • [bdubbs] - Update to cups-filters-1.27.1. Fixes #12620.

    • [pierre] - Update to thunderbird-68.5.0. Fixes #13123.

    • [bdubbs] - Update to proftpd-1.3.6c. Fixes #13165.

    • [bdubbs] - Update to gptfdisk-1.0.5. Fixes #13161.

    • [pierre] - Update to vim-8.2.0190. Part of #12241.

  • February 18th, 2020

    • [ken] - Remove perl dependant modules Class::Factory::Util and Test::Simple which are no longer used by anything in the book. Fixes #13160.

    • [renodr] - Update to xf86-video-intel-20200218. Fixes #5918.

    • [bdubbs] - Update to postgresql-12.2. Fixes #13134.

    • [bdubbs] - Update to LVM2.2.03.08. Fixes #13118.

    • [bdubbs] - Update to mlt-6.20.0. Fixes #13151.

    • [bdubbs] - Update to x264-20200218. Addresses #7555.

    • [bdubbs] - Update to x265-3.3. Fixes #13156.

  • February 17th, 2020

    • [bdubbs] - Update to zsh-5.8. Fixes #13144.

    • [bdubbs] - Update to ImageMagick-6.9.10-93. Addresses #7859.

    • [bdubbs] - Update to ImageMagick-7.0.9-23. Addresses #7859.

    • [ken] - Update to mutt-1.13.4. Fixes #13147.

    • [ken] - Update to fetchmail-6.4.2. Fixes #13140.

    • [renodr] - Update to krb5-1.18. Fixes #13127>.

    • [bdubbs] - Update to libmypaint-1.5.0. Fixes #13122.

    • [bdubbs] - Update to ModemManager-1.12.6. Fixes #13126.

    • [ken] - Update to node-js-12.16.0. Fixes #13120.

  • February 16th, 2020

    • [bdubbs] - Update to gmime-3.2.6. Fixes #13141.

    • [bdubbs] - Update to ssh-askpass-8.2p1. Fixes #13131.

    • [bdubbs] - Update to bluez-5.53. Fixes #13146.

    • [bdubbs] - Update to IO-Socket-SSL-2.067 (Perl module). Fixes #13139.

    • [bdubbs] - Update to Net-DNS-1.22 (Perl module). Fixes #13133.

    • [pierre] - Remove gtk options for libreoffice: gtk2 is not used anymore.

    • [pierre] - Add gnutls as a required dependency of samba.

  • February 15th, 2020

    • [bdubbs] - Update to xterm-353. Fixes #13094.

    • [bdubbs] - Update to mesa-19.3.4. Fixes #13130.

    • [bdubbs] - Update to wayland-1.18.0. Fixes #13121.

  • February 14th, 2020

    • [bdubbs] - Update to openssh-8.2p1. Fixes #13131.

    • [bdubbs] - Update to libarchive-3.4.2. Fixes #13119.

    • [bdubbs] - Update to pcre-8.44. Fixes #13125.

    • [ken] - Update to nfsutils-2.4.3. Fixes #13116.

    • [pierre] - Fix building ptlib with make-4.3.

  • February 13th, 2020

    • [ken] - Reinstate pycairo-1.18.2 for python2 as 'pycairo', needed for the deps of pygtk. Addresses #13128.

    • [timtas] - Update to dovecot-2.3.9.3. Fixes #13124.

    • [pierre] - Update to speexdsp-1.2.0. Fixes #13117.

    • [pierre] - Fix building openjdk with make-4.3. Report by Jean-Marc Pigeon and patch found by Ken Moffat.

  • February 12th, 2020

    • [bdubbs] - Update to plasma-5.18.0. Fixes #12863.

  • February 11th, 2020

    • [renodr] - Add a patch to allow OpenSSH to build with glibc-2.31.

    • [ken] - Update to firefox-68.5.0esr (security fix). Fixes #13115.

  • February 10th, 2020

    • [renodr] - Add a security patch to libexif to fix CVE-2019-9278, an integer overflow vulnerability. Thanks goes to Chris Gorman for the report.

    • [bdubbs] - Update to libgee-0.20.3. Fixes #13114.

    • [bdubbs] - Update to vala-0.46.6. Fixes #13113.

    • [bdubbs] - Update to cbindgen-0.13.1. Fixes #13112.

  • February 9th, 2020

    • [bdubbs] - Update to kf5apps-19.12.2.

    • [bdubbs] - Update to kf5-5.67.0. Fixes #12882.

    • [ken] - Adjust the build of libreoffice: remove obsolete switches, note that all of dictionaries, help and translations will be downloaded if not present, reinstate system poppler. Fixes #13106.

    • [bdubbs] - Update to gdb-9.1. Fixes #13110.

    • [bdubbs] - Update to libgpg-error-1.37. Fixes #13109.

    • [bdubbs] - Update to nss-3.50. Fixes #13108.

    • [bdubbs] - Update to firewalld-0.8.1. Fixes #12995.

  • February 8th, 2020

    • [renodr] - Update to samba-4.11.6. Fixes #12665.

    • [renodr] - Add a patch to fix CVE-2020-6750 in glib.

    • [ken] - Update to HTTP::Daemon-6.06 and Module::Build-0.4231 (perl modules). Fixes #13107.

  • February 7th, 2020

    • [ken] - Update perl module dependencies used by biber: Alien::Build-2.00, Alien::Libxml2-0.12, Config::AutoConf-0.318, DateTime::Locale-1.25, DateTime::TimeZone-2.38, FFI::CheckLib-0.26, HTTP::Cookies-6.08, HTTP::Date-6.05 with new dependency of TimeDate-2.31, IPC::System::Simple-1.26, libwww::perl-6.43, List::SomeUtils-0.58, namespace::autoclean-0.29, Path::Tiny-0.112, Role::Tiny-2.001004.

    • [bdubbs] - Update to nano-4.8. Fixes #13105.

  • February 6th, 2020

    • [bdubbs] - Update to node.js-12.15.0. Fixes #13102.

    • [bdubbs] - Update to cmake-3.16.4. Fixes #13104.

    • [bdubbs] - Update to LSB-Tools-0.6. Fixes #13103.

    • [bdubbs] - Update to screen-4.8.0. Fixes #13101.

  • February 5th, 2020

    • [bdubbs] - Update to folks-0.13.2. Fixes #13098.

    • [bdubbs] - Add python module python-dbusmock-0.19.

    • [bdubbs] - Update to NetworkManager-1.22.6. Fixes #13089.

    • [bdubbs] - Update to libsecret-0.20.1. Fixes #13071.

    • [bdubbs] - Update to gspell-1.8.3. Fixes #13060.

  • February 4th, 2020

    • [bdubbs] - Update to libinput-1.15.1. Fixes #13097.

    • [bdubbs] - Update to mercurial-5.3. Fixes #13096.

  • February 3rd, 2020

    • [bdubbs] - Update to pycryptodome-3.9.6 (Python module). Fixes #13095.

  • February 2nd, 2020

    • [bdubbs] - Update to libtasn1-4.16.0. Fixes #13093.

    • [bdubbs] - Update to gnutls-3.6.12. Fixes #13092.

  • February 1st, 2020

    • [bdubbs] - Update to nspr-4.25. Fixes #13091.

    • [bdubbs] - Update to libbytesize-2.2. Fixes #13090.

  • January 31st, 2020

    • [pierre] - Update to elogind-243.4. Fixes #12984.

    • [bdubbs] - Update to xkeyboard-config-2.29. Fixes #13087.

    • [bdubbs] - Update to openldap-2.4.49. Fixes #13086.

    • [bdubbs] - Update to cbindgen-0.13.0. Fixes #13085.

    • [bdubbs] - Update to Jinja2-2.11.1. Fixes #13084.

    • [bdubbs] - Update to libgusb-0.3.3. Fixes #13083.

    • [bdubbs] - Update to sudo-1.8.31. Fixes #13082.

  • January 30th, 2020

    • [bdubbs] - Update to mariadb-10.4.12. Fixes #13079.

    • [bdubbs] - Update to thunar-1.8.12. Fixes #13081.

    • [bdubbs] - Update to libreoffice-6.4.0.3. Fixes #13080.

    • [bdubbs] - Update to lxml-4.5.0. Fixes #13078.

    • [bdubbs] - Update to unrar-5.9.1. Fixes #13077.

    • [bdubbs] - Update to highlight-3.55. Fixes #13076.

    • [bdubbs] - Update to poppler-0.85.0. Fixes #13075.

    • [bdubbs] - Update to p11-kit-0.23.20. Fixes #13074.

  • January 29th, 2020

    • [bdubbs] - Update to mesa-19.3.3. Fixes #13072.

    • [bdubbs] - Update to lxml-4.4.3 (Python Module). Fixes #13073.

  • January 28th, 2020

    • [ken] - Security updates to Qt-5.14.1 and QtWebEngine-5.14.1. Fixes #13067.

    • [timtas] - Update to thunderbird-68.4.2. Fixes #13059.

    • [bdubbs] - Update to sqlite-autoconf-3310100 (3.31.1). Fixes #13069.

    • [bdubbs] - Update to dhcpcd-8.1.6. Fixes #13066.

    • [bdubbs] - Update to Jinja2-2.11.0 (Python Module). Fixes #13065.

  • January 27th, 2020

    • [renodr] - Fix a FTBS in HDSPMixer in alsa-tools due to Linux-5.4 kernel API changes.

    • [ken] - Update to mutt-1.13.3. Fixes #13016.

    • [ken] - Falkon: reinstate removal of po files. Fixes #13064.

    • [bdubbs] - Update to qpdf-9.1.1. Fixes #13063.

    • [bdubbs] - Update to mtdev-1.1.6. Fixes #13062.

    • [bdubbs] - Update to pciutils-3.6.4. Fixes #13061.

    • [bdubbs] - Update to shadow-4.8.1. Fixes #13057.

  • January 25th, 2020

    • [bdubbs] - Update to bluefish-2.2.11. Fixes #13058.

    • [bdubbs] - Update to php-7.4.2. Fixes #13055.

    • [bdubbs] - Update to nss-3.49.2. Fixes #13054.

    • [bdubbs] - Update to dhcp-4.4.2. Fixes #13051.

    • [bdubbs] - Update to bind-9.14.10. Fixes #13048.

  • January 24th, 2020

    • [bdubbs] - Update to pycairo-1.19.0 (Python Module). Fixes #13056.

    • [bdubbs] - Update to libuv-1.34.2. Fixes #13053.

    • [bdubbs] - Update to sqlite-autoconf-3310000 (3.31.0). Fixes #13052.

    • [bdubbs] - Update to pciutils-3.6.3. Fixes #13050.

    • [bdubbs] - Update to p11-kit-0.23.19. Fixes #13049.

    • [bdubbs] - Update to webkitgtk-2.26.3. Fixes #13047.

    • [renodr] - Update to mutter-3.34.3. Fixes #12631.

  • January 23rd, 2020

    • [ken] - Update to asymptote-2.62. Fixes #13026.

  • January 22nd, 2020

    • [bdubbs] - Update to cmake-3.16.3. Fixes #13046.

  • January 21st, 2020

    • [ken] - Update to firefox-68.4.2esr. Fixes #13045.

    • [bdubbs] - Update to gparted-1.1.0. Fixes #13043.

    • [bdubbs] - Update to Mako-1.1.1 (Python Module). Fixes #13044.

  • January 19th, 2020

    • [bdubbs] - Update to mc-4.8.24. Fixes #13039.

    • [bdubbs] - Update to libxkbcommon-0.10.0. Fixes #13038.

  • January 18th, 2020

    • [bdubbs] - Update to gegl-0.4.20. Fixes #13037.

  • January 17th, 2020

    • [bdubbs] - Update to xterm-352. Fixes #13036.

    • [bdubbs] - Update to libva-2.6.1. Fixes #13035.

    • [bdubbs] - Update to docutils-0.16 (Python Module). Fixes #13034.

    • [bdubbs] - Update to XML-LibXSLT-1.99 (Perl Module). Fixes #13033.

  • January 16th, 2020

    • [bdubbs] - Update to wireshark-3.2.1. Fixes #13032.

    • [bdubbs] - Update to six-1.14.0 (Python module). Fixes #13031.

    • [bdubbs] - Update to guile-3.0.0. Fixes #13030.

    • [bdubbs] - Update to XML-LibXML-Simple-1.01 (Perl Module). Fixes #13029.

    • [bdubbs] - Update to libqmi-1.24.4. Fixes #13028.

    • [bdubbs] - Update to libmbim-1.22.0. Fixes #13027.

    • [pierre] - Update to libcap-2.31. Fixes #13019.

  • January 15th, 2020

    • [bdubbs] - Update to dbus-python-1.2.16 (Python Module). Fixes #13025.

    • [bdubbs] - Update to XML-LibXSLT-1.97 (Perl module). Fixes #13024.

    • [dj] - Update Mozilla Location Service API Key.

  • January 14th, 2020

    • [renodr] - In clisp, work around a build failure caused by a bug in GCC which is caused by binutils.

    • [bdubbs] - Update to git-2.25.0. Fixes #13022.

    • [bdubbs] - Update to ModemManager-1.12.4. Fixes #13021.

    • [bdubbs] - Update to nss-3.49.1. Fixes #13020.

    • [bdubbs] - Update to xorg-server-1.20.7. Fixes #13018.

  • January 13th, 2020

    • [bdubbs] - Update to libsecret-0.20.0. Fixes #13017.

    • [bdubbs] - Update to cbindgen-0.12.2. Fixes #13015.

    • [bdubbs] - Update to babl-0.1.74. Fixes #13014.

    • [bdubbs] - Update to libuv-1.34.1. Fixes #13013.

    • [bdubbs] - Update to xfdesktop-4.14.2. Fixes #13012.

    • [bdubbs] - Update to xfce4-panel-4.14.3. Fixes #13011.

    • [renodr] - Adapt WebKitGTK+ to changes in ICU-65.1+

  • January 11th, 2020

    • [bdubbs] - Update to xfce4-settings-4.14.2. Fixes #13008.

    • [bdubbs] - Update to xfce4-session-4.14.1. Fixes #13009.

    • [bdubbs] - Update to xfce4-panel-4.14.2. Fixes #13010.

  • January 10th, 2020

    • [renodr] - Update to Thunderbird-68.4.1. Contains a 0-day security patch and other security fixes. Fixes #13004.

    • [renodr] - Adapt alsa-tools to Linux-5.4+ and alsa-lib-1.2.1.2. Re-evaluate this before BLFS 9.1 or after a new alsa-lib version, whichever comes first.

    • [bdubbs] - Update to NetworkManager-1.22.4. Fixes #13007.

    • [bdubbs] - Update to grantlee-5.2.0. Fixes #13006.

    • [bdubbs] - Update to btrfs-progs-v5.4.1. Fixes #13005.

    • [bdubbs] - Update to mesa-19.3.2. Fixes #13003.

  • January 9th, 2020

    • [bdubbs] - Update to gnome-desktop-3.34.3. Fixes #13000.

    • [bdubbs] - Update to curl-7.68.0. Fixes #12999.

    • [bdubbs] - Update to icewm-1.6.4. Fixes #12998.

    • [bdubbs] - Update to node.js-12.14.1. Fixes #12997.

    • [bdubbs] - Update to nss-3.49. Fixes #12996.

    • [ken] - Update to firefox-68.4.1esr (security fix, rated as critical). Fixes #13002.

    • [pierre] - Add tests to elogind.

    • [pierre] - Add early microcode loading to the initramfs.

  • January 8th, 2020

    • [xry111] - Update to gjs-1.58.4. Fixes #12994.

    • [xry111] - Update to grilo-0.3.11. Fixes #13001.

  • January 7th, 2020

    • [bdubbs] - Update to mercurial-5.2.2. Fixes #12993.

    • [bdubbs] - Update to PyYAML-5.3 (Python Module). Fixes #12992.

    • [bdubbs] - Update to libwebp-1.1.0. Fixes #12991.

    • [bdubbs] - Update to libgusb-0.3.2. Fixes #12990.

    • [bdubbs] - Update to dconf-editor-3.34.3. Fixes #12989.

    • [ken] - Update to firefox-68.4.0esr (security fix). Fixes #12988.

  • January 6th, 2020

    • [renodr] - Adapt the testsuite in libxcb-1.13.1 to API changes in check-0.13.0 and later.

    • [bdubbs] - Update to seahorse-3.34.1. Fixes #12986.

    • [bdubbs] - Update to gnome-shell-3.34.3. Fixes #12985.

    • [bdubbs] - Update to glm-0.9.9.7. Fixes #12983.

    • [pierre] - Update to libcap-pam 2.30. Fixes #12981.

  • January 5th, 2020

    • [bdubbs] - Update to gnome-menus-3.35.3. Fixes #12982.

  • January 4th, 2020

    • [bdubbs] - Update to eog-3.34.2. Fixes #12980.

    • [bdubbs] - Update to gnome-maps-3.34.3. Fixes #12979.

    • [bdubbs] - Update to epiphany-3.34.3.1. Fixes #12971.

    • [bdubbs] - Update to evolution evolution-data-server 3.34.3. Fixes #12977.

    • [bdubbs] - Update to libinput-1.15.0. Fixes #12975.

    • [bdubbs] - Update to sshfs-3.7.0. Fixes #12973.

    • [bdubbs] - Update to glib-networking-2.62.3. Fixes #12972.

    • [bdubbs] - Update to sysstat-12.3.1. Fixes #12970.

    • [bdubbs] - Update to dhcpcd-8.1.5. Fixes #12969.

  • January 3rd, 2020

    • [renodr] - Update to xf86-input-wacom-0.39.0. Fixes #12948.

  • January 1st, 2020

    • [bdubbs] - Update to ffmpeg-4.2.2. Fixes #12967.

    • [bdubbs] - Update to libjpeg-turbo-2.0.4. Fixes #12966.

    • [bdubbs] - Update to sudo-1.8.30. Fixes #12965.

    • [pierre] - Update to libva-2.6.0. Fixes #12961.

    • [ken] - Add option for --disable-elf-hack to thunderbird, needed for my -march=native builds with clang-9.0.1 on Ryzen.

    • [bdubbs] - Update to libdazzle-3.34.1. Fixes #12963.

    • [bdubbs] - Update to smartmontools-7.1. Fixes #12964.

    • [bdubbs] - Update to libcap-2.29. Fixes #12950.

  • December 30th, 2019

    • [pierre] - Update to cbindgen-0.12.1. Fixes #12960.

    • [pierre] - Update to libarchive-3.4.1. Fixes #12959.

    • [bdubbs] - Update to xvidcore-1.3.7. Fixes #12957.

    • [bdubbs] - Update to poppler-0.84.0. Fixes #12956.

    • [bdubbs] - Update to doxygen-1.8.17. Fixes #12955.

    • [bdubbs] - Update to ruby-2.7.0. Fixes #12951.

    • [bdubbs] - Update to NetworkManager-1.22.2. Fixes #12949.

    • [renodr] - Adapt rustc to build with LLVM9. Fixes #12958.

  • December 29th, 2019

    • [bdubbs] - Update to file-roller-3.32.3. Fixes #12810.

    • [bdubbs] - Update to evince-3.34.2. Fixes #12809.

    • [bdubbs] - Update to gnome-maps-3.34.2. Fixes #12807.

    • [bdubbs] - Update to epiphany-3.34.2. Fixes #12804.

    • [bdubbs] - Update to evolution-3.34.2. Fixes #12802.

    • [bdubbs] - Update to gedit-3.34.1. Fixes #12794.

    • [bdubbs] - Update to gnome-settings-daemon-3.34.2. Fixes #12923.

    • [bdubbs] - Update to libsoup-2.68.3. Fixes #12868.

    • [ken] - Update to mutt-1.13.2. Fixes #12838.

    • [bdubbs] - Archive libESMTP. Fixes #12946.

    • [bdubbs] - Update to hexchat-2.14.3. Fixes #12945.

    • [bdubbs] - Update to tumbler-0.2.8. Fixes #12944.

    • [bdubbs] - Update to libmbim-1.20.4. Fixes #12943.

    • [bdubbs] - Update to tigervnc-1.10.1. Fixes #12942.

  • December 28th, 2019

    • [bdubbs] - Update to opencv-4.2.0. Fixes #12939.

    • [bdubbs] - Update to libtirpc-1.2.5. Fixes #12941.

    • [bdubbs] - Update to xfsprogs-5.4.0. Fixes #12938.

    • [bdubbs] - Update to libvpx-1.8.2. Fixes #12933.

    • [bdubbs] - Update to php-7.4.1. Fixes #12931.

    • [timtas] - Update to xfce4-terminal-0.8.9.1. Fixes #12954.

  • December 26th, 2019

    • [ken] - Update to (intel) microcode-20191115. Fixes #12952.

    • [ken] - Update to falkon-3.1.0. Fixes #12937.

  • December 25th, 2019

    • [renodr] - Update to cifs-utils-6.10. Fixes #12921.

    • [thomas] - Update to dhcpcd-8.1.4. Fixes #12940.

    • [thomas] - Update to nano-4.7. Fixes #12947.

    • [thomas] - Update to cmake-3.16.2. Fixes #12930.

  • December 24th, 2019

    • [ken] - Update to biber-2.14 with its new dependency of Parse::RecDescent (perl module). Fixes #12845.

    • [pierre] - Patch Qt-5.14.0 to fix a cursor problem in Wayland, and fix building KDE Frameworks with Qt-5.14.0.

  • December 22nd, 2019

    • [bdubbs] - Update to llvm-9.0.1. Fixes #12550.

    • [bdubbs] - Update to bind-9.14.9. Fixes #12924.

    • [bdubbs] - Update to mesa-19.3.1. Fixes #12926.

    • [pierre] - Update to vim-8.2.0024. Fixes #12936.

    • [pierre] - Update to python3-3.8.1. Fixes #12932.

  • December 20th, 2019

    • [ken] - Add Clone-0.43 (perl module). Fixes #12929.

    • [ken] - Update to Business:ISBN::Data-20191107 (perl module). Fixes second part of #12893.

    • [timtas] - Update to dhcpcd-8.1.3. Fixes #12935.

    • [pierre] - Update to blocaled-0.2. Fixes #12934.

  • December 19th, 2019

    • [bdubbs] - Update to glib-2.62.4. Fixes #12928.

    • [bdubbs] - Update to exo-0.12.11. Fixes #12927.

    • [bdubbs] - Update to wireshark-3.2.0. Fixes #12925.

    • [bdubbs] - Update to NetworkManager-1.22.0. Fixes #12920.

    • [bdubbs] - Update to node-12.14.0. Fixes #12922.

    • [pierre] - Update to elogind-241.4. Fixes #12918.

  • December 17th, 2019

    • [renodr] - Update to gnome-shell-extensions-3.34.2. Fixes #12902.

    • [renodr] - Update to gnome-shell-3.34.2. Fixes #12902.

    • [timtas] - Update to thunderbird-68.3.1. Fixes #12917.

    • [bdubbs] - Update to scons-3.1.2. Fixes #12915.

    • [bdubbs] - Update to cbindgen-0.12.0. Fixes #12914.

    • [bdubbs] - Update to talloc-2.3.1. Fixes #12913.

  • December 16th, 2019

    • [bdubbs] - Update to libreoffice-6.3.4.2. Fixes #12903.

    • [bdubbs] - Update to libical-3.0.7. Fixes #12912.

    • [bdubbs] - Update to xine-ui-0.99.12. Fixes #12426 (again).

  • December 15th, 2019

    • [bdubbs] - Update to cups-2.3.1. Fixes #12911.

    • [bdubbs] - Update to fuse-3.9.0. Fixes #12910.

    • [bdubbs] - Update to xine-ui-0.99.11. Fixes #12426.

    • [bdubbs] - Update to xine-lib-1.2.10. Fixes #12909.

    • [bdubbs] - Update to imlib2-1.6.1. Fixes #12908.

    • [bdubbs] - Update to fribidi-1.0.8. Fixes #12906.

    • [bdubbs] - Update to qemu-4.2.0. Fixes #12905.

    • [bdubbs] - Update to unbound-1.9.6. Fixes #12901.

    • [bdubbs] - Update to libqmi-1.24.2. Fixes #12900.

    • [bdubbs] - Update to libXpm-3.5.13 (Xorg Library). Fixes #12899.

    • [bdubbs] - Update to mesa-19.3.0. Fixes #12898.

    • [bdubbs] - Update to mariadb-10.4.11. Fixes #12894.

    • [bdubbs] - Update to ModemManager-1.12.2. Fixes #12891.

  • December 14th, 2019

    • [timtas] - Update to dovecot-2.3.9.2. Fixes #12907.

    • [renodr] - Update to gnome-autoar-0.2.4. Fixes #12897.

    • [pierre] - Update to Qt5 and Qtwebengine 5.14.0. Fixes #12895.

    • [pierre] - Update to MIT Kerberos V5-1.17.1. Fixes #12890.

  • December 12th, 2019

    • [bdubbs] - Update to libcap-2.28. Fixes #12883.

    • [bdubbs] - Update to boost-1.72.0. Fixes #12896.

    • [bdubbs] - Update to Business-ISBN-3.005. Fixes #12893.

    • [bdubbs] - Update to unrar-5.8.5. Fixes #12892.

    • [bdubbs] - Update to cmake-3.16.1. Fixes #12889.

  • December 10th, 2019

    • [ken] - Security update to git-2.24.1. Fixes #12888.

    • [renodr] - Update to gnome-session-3.34.2. Fixes #12834.

    • [bdubbs] - Update to frei0r-plugins-1.7.0. Fixes #12879.

    • [bdubbs] - Update to glib-networking-2.62.2. Fixes #12887.

    • [bdubbs] - Update to cbindgen-0.11.1. Fixes #12885.

    • [bdubbs] - Update to gnupg-2.2.19. Fixes #12884.

    • [ken] - Work around upstream qtwebengine's use of a NINJAJOBS environment variable, reported by Alain Dumont.

    • [ken] - Update to dvisvgm-2.8.2. Fixes #12771.

    • [ken] - Update to asymptote-2.61. Fixes #12784.

    • [timtas] - Update to exim-4.93 Fixes #12886.

  • December 9th, 2019

    • [renodr] - Fix CVE-2019-14822 in IBus and a regression caused by glib-2.62.3 and later.

    • [renodr] - Update to gnome-control-center-3.34.2. Fixes #12824.

    • [pierre] - Add blocaled-0.1, a replacement for systemd-localed.

  • December 8th, 2019

    • [bdubbs] - Update to lm-sensors-3-6-0. Fixes #12881.

    • [bdubbs] - Update to intel-vaapi-driver-2.4.0. Fixes #12878.

    • [thomas] - Update to iptables-1.8.4. Fixes #12852.

  • December 7th, 2019

    • [renodr] - Adapt PyGTK to API changes in Pango.

    • [renodr] - Update to Nautilus-3.34.2. Fixes #12803.

    • [renodr] - Update to a cairo snapshot (1.17.2 + master). The new version is 1.17.2+f93fc72c03e. Fixes #12880.

    • [renodr] - Update to pango-1.44.7. Fixes #12355.

  • December 6th, 2019

    • [renodr] - Update to gvfs-1.42.2. Fixes #12801.

    • [bdubbs] - Update to iw-5.4. Fixes #12877.

    • [bdubbs] - Update to mercurial-5.2.1. Fixes #12876.

    • [bdubbs] - Update to gstreamer stack 1.16.2. Fixes #12866.

    • [bdubbs] - Update to mesa-19.2.7. Fixes #12870.

    • [renodr] - Fix the DConf sed so that dconf-editor builds.

    • [renodr] - Fix deadlock bugs in tracker-miners caused by gstreamer and MP3 files.

  • December 5th, 2019

    • [renodr] - Update to evolution-data-server-3.34.2. Part of #12802.

    • [renodr] - Fix a bug in libgweather that causes failures due to a duplicate weather station.

    • [ken] - Update to nss-3.48. Fixes #12871.

    • [renodr] - Fix a build failure in Grilo caused by totem-pl-parser.

    • [renodr] - Update to gnome-desktop-3.34.2. Fixes #12862.

    • [bdubbs] - Update to xvidcore-1.3.6. Fixes #12874.

    • [bdubbs] - Update to wireshark-3.0.7. Fixes #12872.

    • [bdubbs] - Update to libcdio-paranoia-10.2+2.0.1. Fixes #12867.

    • [bdubbs] - Update to feh-3.3. Fixes #12864.

    • [bdubbs] - Update to libuv-v1.34.0. Fixes #12861.

    • [bdubbs] - Update to btrfs-progs-v5.4. Fixes #12860.

    • [bdubbs] - Update to cbindgen-0.11.0. Fixes #12855.

    • [bdubbs] - Update to gnutls-3.6.11.1. Fixes #12842.

    • [timtas] - Update to dovecot-2.3.9. Fixes #12873.

    • [timtas] - Update to thunderbird-68.3.0. Fixes #12865.

    • [renodr] - Update to shadow-4.8. Fixes #12843.

  • December 4th, 2019

    • [bdubbs] - Update to tcsh-6.22.02. Fixes #12869.

    • [dj] - Update to blfs-bootscripts-20191203.

    • [dj] - Update to firewalld-0.8.0. Fixes #12734.

    • [dj] - Update to nftables-0.9.3. Fixes #12850.

    • [dj] - Update to libnftnl-1.1.5. Fixes #12851.

    • [dj] - Add missing dependency "six" to python-slip.

  • December 3rd, 2019

    • [bdubbs] - Update to nspr-4.24. Fixes #12853.

    • [bdubbs] - Update to PyYAML-5.2. Fixes #12854.

    • [bdubbs] - Update to tcsh-6.22.01. Fixes #12844.

    • [bdubbs] - Update to LVM2.2.03.07. Fixes #12839.

    • [bdubbs] - Update to php-7.4.0. Fixes #12833.

    • [bdubbs] - Revert libsass to version 3.6.1. This is needed to prevent problems in dependent applications.

    • [bdubbs] - Update to gtk+-3.24.13. Fixes #12829.

    • [renodr] - Update to NetworkManager-1.20.8. Fixes #12823.

    • [ken] - Apply security and other fixes to unzip-6.0, this also allows the testsuite for Archive::Zip-1.67 to pass. Fixes #12840.

    • [ken] - Adjust inkscape to build with poppler-0.83.0. Fixes #12858.

    • [ken] - Update to firefox-68.3.0esr (security fix). Fixes #12856.

    • [ken] - Fix build breakage from ICU-65.1 in qtwebengine-5.13.2, again caused by a U16NEXT() without a terminating semicolon.

    • [ken] - Do not use system ICU for libreoffice, 65.1 broke one of the packages which it ships with (libfreehand). Fixes #12841.

  • December 2nd, 2019

    • [renodr] - Update to yelp-xsl-3.34.2. Fixes #12808.

    • [renodr] - Update to VTE-0.58.3. Fixes #12811.

  • November 30th, 2019

    • [ken] - Update to alsa-lib-1.2.1.2. Fixes #12837.

    • [bdubbs] - Update to pygments-2.5.2 (Python Module). Fixes #12836.

  • November 29th, 2019

    • [bdubbs] - Update to tcsh-6.22.00. Fixes #12832.

    • [bdubbs] - Update to bubblewrap-0.4.0. Fixes #12831.

    • [bdubbs] - Update to poppler-0.83.0. Fixes #12830.

    • [bdubbs] - Update to cmake-3.16.0. Fixes #12828.

    • [bdubbs] - Update to pygments-2.5.1 (Python Module). Fixes #12827.

    • [bdubbs] - Update to lxml-4.4.2 (Python Module). Fixes #12826.

    • [bdubbs] - Update to keyutils-1.6.1. Fixes #12825.

    • [bdubbs] - Update to libepoxy-1.5.4. Fixes #12822.

    • [bdubbs] - Update to dbus-python-1.2.14 (Python module). Fixes #12820.

    • [thomas] - Update to nano-4.6. Fixes #12835.

  • November 27th, 2019

    • [bdubbs] - Update to abiword 3.0.4. Fixes #12819.

    • [bdubbs] - Update to icewm-1.6.3. Fixes #12818.

    • [bdubbs] - Update to imlib2-1.6.0. Fixes #12817.

    • [bdubbs] - Update to postfix-3.4.8. Fixes #12816.

    • [bdubbs] - Update to librsvg-2.46.4. Fixes #12815.

  • November 26th, 2019

    • [renodr] - Update to gjs-1.58.3. Fixes #12812.

    • [renodr] - Update to GnuPG-2.2.18 (security fix). Fixes #12821.

  • November 25th, 2019

    • [bdubbs] - Update to xapian-core-1.4.14. Fixes #12814.

    • [bdubbs] - Update to stunnel-5.56. Fixes #12806.

    • [bdubbs] - Update to xorg-server-1.20.6. Fixes #12805.

    • [bdubbs] - Update to tcl8.6.10 and tk-8.6.10. Fixes #12800.

    • [bdubbs] - Update to pcre2-10.34. Fixes #12798.

    • [bdubbs] - Update to libtasn1-4.15.0. Fixes #12797.

  • November 24th, 2019

    • [bdubbs] - Update to exo-0.12.10. Fixes #12793.

    • [bdubbs] - Update to cbindgen-0.10.0. Fixes #12790.

    • [bdubbs] - Update to nss-3.47.1. Fixes #12789.

    • [bdubbs] - Update to node.js-12.13.1. Fixes #12788.

    • [bdubbs] - Update to tigervnc-1.10.0. Fixes #12783.

    • [bdubbs] - Update to glib-2.62.3. Fixes #12787.

    • [bdubbs] - Update to unbound-1.9.5. Fixes #12786.

    • [bdubbs] - Update to icu-65.1. Fixes #12785.

    • [bdubbs] - Update to pycryptodome-3.9.4 (python module). Fixes #12782.

    • [bdubbs] - Update to vala-0.46.5. Fixes #12781.

  • November 23rd, 2019

    • [renodr] - Update to alsa-lib-1.2.1.1 (and fix a pulseaudio build problem related to alsa-lib). Fixes #12813>.

    • [renodr] - Update to alsa-{firmware,lib,utils,plugins}-1.2.1. Fixes #12776.

    • [thomas] - Update to bind-9.14.8. Fixes #12792.

    • [thomas] - Update to php-7.3.12. Fixes #12799.

  • November 21st, 2019

    • [renodr] - Update to mesa-19.2.6. Fixes #12795.

    • [renodr] - Update to mesa-19.2.5. Fixes #12791.

    • [renodr] - Update to xf86-input-wacom-0.38.0 (Xorg Driver). Fixes #12651.

    • [renodr] - Update to xf86-video-amdgpu-19.1.0 (Xorg Driver). Fixes #12637.

    • [renodr] - Update to xf86-video-ati-19.1.0 (Xorg Driver). Fixes #12652.

  • November 19th, 2019

    • [ken] - Fix compilation of evince if texlive has been installed in accordance with the BLFS instructions.

  • November 18th, 2019

    • [bdubbs] - Update to xterm-351. Fixes #12780.

    • [bdubbs] - Update to unrar-5.8.4. Fixes #12779.

    • [bdubbs] - Update to qpdf-9.1.0. Fixes #12778.

    • [bdubbs] - Update to libgusb-0.3.1. Fixes #12777.

    • [bdubbs] - Update to nghttp2-1.40.0. Fixes #12775.

    • [bdubbs] - Update to xfsprogs-5.3.0. Fixes #12774.

    • [bdubbs] - Update to postgresql-12.1. Fixes #12768.

  • November 17th, 2019

    • [bdubbs] - Update external packages in fop to {pdf,font}box-2.0.17.jar. Fixes #12772.

    • [bdubbs] - Update to parole-1.0.5. Fixes #12770.

    • [bdubbs] - Update to exo-0.12.9. Fixes #12769.

    • [bdubbs] - Update to gmime-3.2.5. Fixes #12766.

    • [bdubbs] - Update to libidn2-2.3.0. Fixes #12765.

    • [bdubbs] - Update to sysstat-12.2.0. Fixes #12764.

    • [bdubbs] - Update to pycryptodome-3.9.3 (Python module). Fixes #12761.

    • [bdubbs] - Update to totem-pl-parser-3.26.4. Fixes #12759.

    • [bdubbs] - Update to mlt-6.18.0. Fixes #12758.

    • [bdubbs] - Update to highlight-3.54. Fixes #12756.

    • [bdubbs] - Update to thunderbird-68.2.2. Fixes #12750.

    • [bdubbs] - Update to thunar-1.8.11. Fixes #12773.

  • November 15th, 2019

    • [timtas] - Update to qemu-4.1.1. Fixes #12767.

    • [renodr] - Update to vala-0.46.4. Fixes #12755.

  • November 14th, 2019

    • [bdubbs] - Update to mesa-19.2.4. Fixes #12763.

  • November 13th, 2019

    • [timtas] - Update to dhcpcd-8.1.2. Fixes #12762.

    • [ken] - Update to Intel-Linux-Processor-Microcode-Data-Files-microcode-20191112. Fixes the Jump Conditional Code erratum on skylake and derived CPUs, and the TSX Async Abort vulnerability on some later CPUs. Fixes #12760.

    • [timtas] - Remove an invalid build option in talloc-2.3.0.

    • [timtas] - Require python3 instead of python2 in samba-4.11.0.

  • November 12th, 2019

    • [bdubbs] - Update to plasma5-5.17.3. Fixes #12480.

  • November 11th, 2019

    • [ken] - Update to asymptote-2.60. Fixes #12748.

  • November 10th, 2019

    • [bdubbs] - Update to pycryptodome-3.9.2. Fixes #12754.

    • [renodr] - Remove an obsolete instruction for i686 systems in Firefox-68.2.0.

    • [bdubbs] - Update to ModemManager-1.12.0. Fixes #12746.

    • [bdubbs] - Update to NetworkManager-1.20.6. Fixes #12743.

    • [bdubbs] - Update to thunar-1.8.10. Fixes #12752.

  • November 9th, 2019

    • [bdubbs] - Update to DateTime-Calendar-Julian-0.102 (Perl Module). Fixes #12753.

    • [bdubbs] - Update to kf5-5.64.0 including extra-cmake-modules and oxygen-icons5. Fixes #12507.

    • [bdubbs] - Update to fop-2.4. Fixes #12739.

    • [bdubbs] - Update to adwaita-icon-theme-3.34.3. Fixes #12751.

  • November 8th, 2019

    • [bdubbs] - Update to kf5-apps-19.08.3 including kwave and kate. Fixes #12473.

    • [bdubbs] - Update to webkitgtk-2.26.2. Fixes #12741.

    • [bdubbs] - Update to mesa-19.2.3. Fixes #12742.

    • [bdubbs] - Update to gnumeric-1.12.46. Fixes #12744.

    • [bdubbs] - Update to libseccomp-2.4.2. Fixes #12749.

    • [bdubbs] - Update to mariadb-10.4.10. Fixes #12738.

    • [bdubbs] - Update to mercurial-5.2. Fixes #12736.

    • [bdubbs] - Update to sshfs-3.6.0. Fixes #12728.

    • [bdubbs] - Update to fuse-3.8.0. Fixes #12727.

  • November 7th, 2019

    • [bdubbs] - Update to goffice-0.10.46. Fixes #12747.

    • [bdubbs] - Update to libmbim-1.20.2. Fixes #12745.

    • [bdubbs] - Update to six-1.13.0 (Python Module). Fixes #12737.

    • [bdubbs] - Update to Data-Compare-1.27 (Perl Module). Fixes #12735.

    • [bdubbs] - Update to libsass-3.6.3. Fixes #12732.

    • [bdubbs] - Update to adwaita-icon-theme-3.34.1. Fixes #12731.

    • [bdubbs] - Update to git-2.24.0. Fixes #12730.

    • [bdubbs] - Update to tiff-4.1.0. Fixes #12729.

    • [bdubbs] - Update to cpio-2.13. Fixes #12740.

  • November 6th, 2019

    • [timtas] - Update to curl-7.67.0. Re-Fixes #12733.

  • November 5th, 2019

    • [timtas] - Update to xfburn-0.6.1. Re-Fixes #12726.

  • November 3rd, 2019

    • [timtas] - Update to xfburn-0.6.0. Fixes #12726.

    • [renodr] - Fix dconf breakage with meson-0.52.0. Fixes #12691.

    • [bdubbs] - Update to pycryptodome-3.9.1 (Python module). Fixes #12724.

    • [bdubbs] - Update to xterm-350. Fixes #12725.

  • November 2nd, 2019

    • [renodr] - Fix a critical security vulnerability in qtwebengine. Fixes #12723>.

  • November 1st, 2019

    • [ken] - Add dvisvgm-2.8 with brotli-1.0.7 and woff2-1.0.2. Fixes #12105.

    • [bdubbs] - Update to libreoffice-6.3.3.2. Fixes #12721.

    • [renodr] - Update to bluez-5.52. Fixes #12718.

    • [renodr] - Update to ModemManager-1.10.8. Fixes #12717.

  • October 31st, 2019

    • [timtas] - Update to thunderbird-68.2.1. Fixes #12722.

    • [bdubbs] - Update to qt-everywhere-src-5.13.2. Includes QtWebEngine-5.13.2. Fixes #12719.

    • [bdubbs] - Update to cmake-3.15.5. Fixes #12719.

    • [bdubbs] - Update to shared-mime-info-1.15. Fixes #12716.

    • [bdubbs] - Update to libpwquality-1.4.2. Fixes #12714.

    • [bdubbs] - Update to libxml2-2.9.10. Fixes #12713.

    • [bdubbs] - Update to libxslt-1.1.34. Fixes #12715.

    • [renodr] - Add libhandy (for gnome-tweaks). Fixes #12663.

  • October 30th, 2019

    • [bdubbs] - Update to subversion-1.13.0. Fixes #12711.

    • [bdubbs] - Update to x265_3.2.1. Fixes #12712.

    • [bdubbs] - Update to harfbuzz-2.6.4. Fixes #12709.

    • [dj] - Add sudoers configuration for Xorg.

  • October 29th, 2019

    • [renodr] - Fix the build of SDL2 on i686 systems. Fixes #12633. Thanks goes to tnut for reporting.

    • [bdubbs] - Update to libchamplain-0.12.20. Fixes #12706.

    • [bdubbs] - Update to gnome-terminal-3.34.2. Fixes #12708.

    • [bdubbs] - Update to libpeas-1.24.1. Fixes #12707.

    • [bdubbs] - Update to gnome-user-docs-3.34.1. Fixes #12705.

    • [bdubbs] - Update to libinput-1.14.3. Fixes #12704.

    • [bdubbs] - Update to harfbuzz-2.6.3. Fixes #12703.

    • [timtas] - Update to sudo-1.8.29. Fixes #12702.

  • October 28th, 2019

    • [bdubbs] - Update to evince-3.34.0. Fixes #12617.

    • [bdubbs] - Update to gnome-screenshot-3.34.0. Partially fixes #12617.

    • [bdubbs] - Update to gnome-terminal-3.34.1. Partially fixes #12617.

    • [bdubbs] - Update to gnome-maps-3.34.1. Partially fixes #12617.

    • [bdubbs] - Update to eog-3.34.1. Partially fixes #12617.

    • [bdubbs] - Update to evolution-3.34.1. Partially fixes #12617.

    • [bdubbs] - Update to gnome-calculator-3.34.1. Partially fixes #12617.

    • [bdubbs] - Update to {libburn,libisoburn,libisofs}-1.5.2. Fixes #12701.

    • [bdubbs] - Update to gimp-2.10.14. Fixes #12700.

    • [bdubbs] - Update to decorator-4.4.1. Fixes #12699.

    • [bdubbs] - Update to telepathy-mission-control-5.16.5. Fixes #12698.

    • [ken] - Update to asymptote-2.59. Fixes #12591.

    • [renodr] - Adjust inkscape to build with poppler-0.82.0 and higher.

  • October 27th, 2019

    • [bdubbs] - Update to paps-0.7.1. Fixes #12697.

    • [bdubbs] - Update to mpg123-1.25.13. Fixes #12696.

    • [bdubbs] - Update to gegl-0.4.18. Fixes #12695.

    • [bdubbs] - Update to poppler-0.82.0. Fixes #12694.

    • [bdubbs] - Update to btrfs-progs-v5.3.1. Fixes #12693.

    • [bdubbs] - Update to mesa-19.2.2. Fixes #12690.

    • [bdubbs] - Update to thunderbird-68.2.0. Fixes #12687.

  • October 26th, 2019

    • [xry111] - Update to biblatex-3.13a.

  • October 25th, 2019

    • [bdubbs] - Update to php-7.3.11. Fixes #12689.

    • [bdubbs] - Update to gtkmm-3.24.2. Fixes #12688.

    • [bdubbs] - Update to wireshark-3.0.6. Fixes #12686.

    • [bdubbs] - Update to LVM2.2.03.06. Fixes #12685.

    • [bdubbs] - Update to librsvg-2.46.3. Fixes #12684.

    • [renodr] - Update to pycairo-1.18.2. Fixes #12692.

    • [dj] - Add nftables-0.9.2. Fixes #4620.

    • [dj] - Add firewalld-0.7.2.

    • [dj] - Add libnftnl-1.1.4.

    • [dj] - Add libmnl-1.0.4.

    • [dj] - Add decorator-4.4.0.

    • [dj] - Add python-slip-0.6.5.

    • [dj] - Update to blfs-bootscripts-20191025.

  • October 24th, 2019

    • [bdubbs] - Update to node.js-12.13.0. Fixes #12682.

    • [bdubbs] - Update to btrfs-progs-v5.3. Fixes #12680.

    • [bdubbs] - Update to p11-kit-0.23.18.1. Fixes #12678.

    • [bdubbs] - Update to libpwquality-1.4.1. Fixes #12677.

    • [bdubbs] - Update to gnutls-3.6.10. Fixes #12676.

    • [ken] - Update to fetchmail-6.4.1. Fixes #12436.

    • [bdubbs] - Update to Python-2.7.17. Fixes #12669.

    • [bdubbs] - Update to proftpd-1.3.6b. Fixes #12683.

    • [renodr] - Update to libxkbcommon-0.9.1. Fixes #12681.

    • [renodr] - Archive Vino. Will be replaced with gnome-remote-desktop soon.

  • October 23rd, 2019

    • [dj] - Update to LSB-Tools-0.5.

    • [renodr] - Revert the change to Python3 for pip3.

  • October 22nd, 2019

    • [ken] - Update to asymptote-2.58. Fixes #12591.

    • [renodr] - Fix an installation problem in Python-3.8 involving a symbolic link for pip3 not being created.

    • [ken] - Update to firefox-68.2.0esr (the extended support release). Includes security fixes. Please read the wiki link from the firefox page before replacing a previous version as this will try to force a new profile. Fixes #12615.

    • [thomas] - Update to sudo-1.8.28p1. Fixes #12679.

  • October 21st, 2019

    • [bdubbs] - Update to libxkbcommon-0.9.0. Fixes #12672.

    • [bdubbs] - Update to balsa-2.5.9. Fixes #12671.

    • [bdubbs] - Update to xkeyboard-config-2.28. Fixes #12670.

    • [timtas] - Update to dovecot-2.3.8. Fixes #12623.

    • [bdubbs] - Update to xorgproto-2019.2. Fixes #12662.

    • [bdubbs] - Update to libdrm-2.4.100. Fixes #12654.

    • [bdubbs] - Update to xapian-core-1.4.13. Fixes #12643.

    • [bdubbs] - Update to proftpd-1.3.6a. Fixes #12642.

    • [renodr] - Update to glib-2.62.2. Fixes #12675.

    • [renodr] - Fix the build instruction for Python-3.8.0 by updating the major version.

    • [renodr] - Update to unrar-5.8.3. Fixes #12673.

    • [renodr] - Update to bogofilter-1.2.5. Fixes #12552.

    • [renodr] - Update to NSS-3.47. Fixes #12674.

    • [renodr] - Update to libuv-1.33.1. Fixes #12668.

    • [renodr] - Update to nspr-4.23. Fixes #12664.

  • October 19th, 2019

    • [renodr] - Update to libuv-1.33.0. Fixes #12658.

    • [bdubbs] - Update to ghostscript-9.50. Fixes #12653.

    • [bdubbs] - Update to qpdf-9.0.2. Fixes #12644.

    • [bdubbs] - Update to aspell-0.60.8. Fixes #12641.

    • [bdubbs] - Update to balsa-2.5.8. Fixes #12639.

    • [bdubbs] - Update to opencv-4.1.2. Fixes #12635.

  • October 18th, 2019

    • [bdubbs] - Update to Python-3.8.0. Fixes #12650.

    • [bdubbs] - Update to sqlite-autoconf-3300100 (3.30.1). Fixes #12640.

    • [bdubbs] - Update to graphviz-2.42.3. Fixes #12630.

    • [bdubbs] - Update to librsvg-2.46.2. Fixes #12648.

    • [bdubbs] - Update to libdvdnav-6.0.1. Fixes #12645.

    • [bdubbs] - Update to libdvdread-6.0.2. Fixes #12646.

    • [bdubbs] - Update to bind-9.14.7. Fixes #12657.

    • [timtas] - Update to dhcpcd-8.1.1. Fixes #12659.

    • [renodr] - Update BIND instructions again to handle a blank file and a typo in /etc/named. Fixes #12656.

  • October 17th, 2019

    • [renodr] - Update to libinput-1.14.2. Fixes #12660.

    • [renodr] - Update to mutter-3.34.1. Part of #12617.

    • [renodr] - Update to gnome-shell-3.34.1. Part of #12617.

    • [renodr] - Update to gnome-shell-extensions-3.34.1. Part of #12617.

    • [renodr] - Update to gnome-session-3.34.1. Part of #12617.

    • [renodr] - Update to gdm-3.34.1. Part of #12617.

  • October 16th, 2019

    • [renodr] - Update to nautilus-3.34.1. Part of #12617.

    • [renodr] - Update to gnome-settings-daemon-3.34.1. Part of #12617.

    • [renodr] - Update to network-manager-applet-1.8.24. Part of #12617.

  • October 15th, 2019

    • [renodr] - Update to sudo-1.8.28. Fixes #12647. Contains a security fix for CVE-2019-14287, which is a restriction bypass.

    • [renodr] - Update to libgweather-3.34.0. Part of #12617.

    • [renodr] - Update to evolution-data-server-3.34.1. Part of #12617.

    • [renodr] - Update to tracker-2.3.1. Part of #12617.

    • [renodr] - Update to tracker-miners-2.3.1. Part of #12617.

    • [renodr] - Fix the configuration instructions for BIND. As part of this, use a non-deprecated rndc-confgen line and adapt to changes in 9.14.6. Fixes #12649.

    • [renodr] - Update to dconf-editor-3.34.2. Part of #12617.

    • [renodr] - Update to gnome-online-accounts-3.34.1. Part of #12617.

    • [renodr] - Update to parted-3.3. Fixes #12634.

    • [renodr] - Update to samba-4.11.0. Fixes #12543. NOTE: This version only supports SMBv2 and higher. SMBv1 clients will no longer be able to connect after upgrading.

    • [renodr] - Update to gvfs-1.42.1. Part of #12617.

    • [renodr] - Update to libsoup-2.68.2. Part of #12617.

  • October 14th, 2019

    • [renodr] - Update to gnome-desktop-3.34.1. Part of #12617.

    • [renodr] - Update to VTE-0.58.2. Part of #12617.

    • [renodr] - Update to gcr-3.34.0. Part of #12617.

  • October 13th, 2019

    • [bdubbs] - Update to Archive-Zip-1.37 (Perl Module). Fixes #12619.

    • [bdubbs] - Update to librsvg-2.46.1. Fixes #12618.

    • [thomas] - Update to dhcpcd-8.1.0. Fixes #12638.

  • October 12th, 2019

    • [ken] - Update to rustc-1.37.0. Fixes #12629.

    • [timtas] - Update to thunderbird-68.1.2. Fixes #12636.

    • [thomas] - Update to openssh-8.1p1. Fixes #12632.

  • October 11th, 2019

    • [renodr] - Update to gjs-1.58.1. Partially fixes #12617.

    • [renodr] - Update to fdk-aac-2.0.1. Fixes #12622.

  • October 10th, 2019

    • [ken] - Update to nss-3.46.1. Fixes #12628.

  • October 9th, 2019

    • [renodr] - Patch ghostscript against CVE-2019-14811, CVE-2019-18412, CVE-2019-18413, and CVE-2019-14817.

    • [renodr] - Update to mesa-19.2.1. Fixes #12626.

    • [renodr] - Update to libX11-1.6.9 (Xorg Library). Fixes #12627.

    • [renodr] - Update to vala-0.46.3. Fixes #12625.

  • October 8th, 2019

    • [renodr] - Update to at-spi2-atk-2.34.1. Part of #12617.

    • [renodr] - Update to gdk-pixbuf-2.40.0. Fixes #12621.

  • October 7th, 2019

    • [bdubbs] - Update to autofs-5.1.6. Fixes #12616.

  • October 6th, 2019

    • [bdubbs] - Update to epiphany-3.34.1. Fixes #12613.

    • [bdubbs] - Update to gnome-control-center-3.34.1. Fixes #12614.

    • [bdubbs] - Update to sqlite-autoconf-3300000 (3.30.0). Fixes #12612.

    • [bdubbs] - Update to gtk+3 3.24.12. Fixes #12608.

    • [bdubbs] - Update to glib-networking-2.62.1. Fixes #12611.

    • [bdubbs] - Update to Jinja2-2.10.3 (Python module). Fixes #12610.

    • [bdubbs] - Update to glib-2.62.1. Fixes #12609.

  • October 4th, 2019

    • [bdubbs] - Update to unbound-1.9.4. Fixes #12605.

    • [bdubbs] - Update to postgresql-12.0. Fixes #12604.

    • [bdubbs] - Update to nano-4.5. Fixes #12607.

    • [bdubbs] - Update to iso-codes-4.4. Fixes #12603.

    • [bdubbs] - Update to gmime-3.2.4. Fixes #12602.

  • October 3rd, 2019

    • [bdubbs] - Update to libreoffice-6.3.2.2. Fixes #12578.

    • [bdubbs] - Update to NetworkManager-1.20.4. Fixes #12588.

    • [bdubbs] - Update to mercurial-5.1.2. Fixes #12601.

    • [bdubbs] - Update to cmake-3.15.4. Fixes #12600.

  • October 2nd, 2019

    • [bdubbs] - Update to libpcap-1.9.1. Fixes #12599.

    • [bdubbs] - Update to sysstat-12.1.7. Fixes #12598.

    • [bdubbs] - Update to ruby-2.6.5. Fixes #12597.

    • [bdubbs] - Update to screen-4.7.0. Fixes #12596.

    • [bdubbs] - Update to seahorse-3.34. Fixes #12592.

  • October 1st, 2019

    • [bdubbs] - Update to harfbuzz-2.6.2. Fixes #12593.

    • [bdubbs] - Update to geoclue-2.5.5. Fixes #12594.

    • [bdubbs] - Update to gnome-keyring-3.34.0. Fixes #12590.

    • [bdubbs] - Update to vala-0.46.2. Fixes #12589.

    • [bdubbs] - Update to evince-3.34.0. Fixes #12587.

    • [bdubbs] - Update to freeglut-3.2.1. Fixes #12586.

  • September 29th, 2019

    • [timtas] - Update to exim-4.92.3 Fixes #12585.

  • September 28th, 2019

    • [bdubbs] - Update to geoclue-2.5.4. Fixes #12584.

    • [bdubbs] - Update to fribidi-1.0.7. Fixes #12583.

    • [bdubbs] - Update to fuse-3.7.0. Fixes #12582.

  • September 27th, 2019

    • [bdubbs] - Update to x265-3.2. Fixes #12580.

    • [bdubbs] - Update to pipewire-0.2.7. Fixes #12579.

    • [bdubbs] - Update to php-7.3.10. Fixes #12575.

    • [bdubbs] - Update to gnome-tweaks-3.34.0. Fixes #12581.

    • [bdubbs] - Update to phonon-backend-vlc-0.11.1. Fixes #12577.

    • [bdubbs] - Update to phonon-4.11.1. Fixes #12576.

    • [bdubbs] - Update to unrar-5.8.2. Fixes #12574.

  • September 26th, 2019

    • [bdubbs] - Update to mesa-19.2.0. Fixes #12570.

    • [bdubbs] - Update to links-2.20.2. Fixes #12572.

    • [bdubbs] - Update to xfce4-panel-4.14.1. Fixes #12571.

    • [timtas] - Update to thunderbird-68.1.1. Fixes #12573.

  • September 24th, 2019

    • [bdubbs] - Update to gnome-weather-3.34.0. Fixes #12569.

    • [ken] - Update to mutt-1.12.2. Fixes #12559.

    • [bdubbs] - Update to gstreamer-1.16.1 and plugins. Fixes #12566.

    • [bdubbs] - Update to cups-filters-1.25.6. Fixes #12567.

    • [bdubbs] - Update to libXvMC-1.0.12 (Xorg Library). Fixes #12568.

  • September 23rd, 2019

    • [bdubbs] - Update to WebKitGTK-2.26.1. Fixes #12565.

    • [bdubbs] - Update to xterm-349. Fixes #12564.

    • [bdubbs] - Update to v4l-utils-1.18.0. Fixes #12563.

    • [bdubbs] - Update to poppler-0.81.0. Fixes #12562.

    • [bdubbs] - Update to epiphany-3.34.0. Fixes #12533.

  • September 22nd, 2019

    • [bdubbs] - Update to mdadm-4.1. Fixes #12286.

    • [bdubbs] - Update to postfix-3.4.7. Fixes #12550.

    • [pierre] - Update to Awaita-icon-them-3.34.0. Fixes #12561.

  • September 21st, 2019

    • [bdubbs] - Update to wireshark-3.0.5. Fixes #12558.

    • [bdubbs] - Update to qpdf-9.0.1. Fixes #12556.

    • [bdubbs] - Update to libqmi-1.24.0. Fixes #12555.

    • [bdubbs] - Update to BIND Utilities and bind-9.14.6. Fixes #12547.

    • [bdubbs] - Update to gdb-8.3.1. Fixes #12554.

    • [bdubbs] - Update to mesa-19.1.7. Fixes #12544.

    • [bdubbs] - Update to icewm-1.6.2. Fixes #12542.

    • [bdubbs] - Update to glibmm-2.62.0. Fixes #12546.

    • [bdubbs] - Update to freeglut-3.2.0. Fixes #12541.

    • [renodr] - Update to shared-mime-info-1.14. Fixes #12557.

  • September 20th, 2019

    • [bdubbs] - Update to vala-0.46.1. Fixes #12540.

    • [bdubbs] - Update to potrace-1.16. Fixes #12539.

    • [bdubbs] - Update to gedit-3.34.0. Fixes #12501.

    • [bdubbs] - Update to gnome-terminal-3.34.0. Partially fixes #12501.

    • [bdubbs] - Update to gnome-maps-3.34.0. Partially fixes #12501.

    • [bdubbs] - Update to gnome-disk-utility-3.34.0. Partially fixes #12501.

    • [bdubbs] - Update to gnome-calculator-3.34.0. Partially fixes #12501.

    • [bdubbs] - Update to file-roller-3.32.2. Partially fixes #12501.

    • [bdubbs] - Update to evolution-3.34.0. Partially fixes #12501.

    • [bdubbs] - Update to eog-3.34.0. Partially fixes #12501.

    • [bdubbs] - Update to cheese-3.34.0. Partially fixes #12501.

    • [bdubbs] - Update to baobab-3.34.0. Partially fixes #12501.

    • [xry111] - Update to bluez-5.51. Fixes #12551.

    • [renodr] - Update to gnome-logs-3.34.0. Fixes #12553.

    • [bdubbs] - Update to Data-Compare-1.26 (Perl Module). Fixes #12549.

    • [bdubbs] - Update to Archive-Zip-1.66 (Perl module). Fixes #12545.

  • September 19th, 2019

    • [ken] - Update to asymptote-2.53. Fixes #12438.

    • [ken] - Archive::Zip (perl module) - move Test::MockModule to an optional dependency, it is used by one obscure sub-module. Fixes #12522.

    • [ken] - Update to firefox-69.0.1 (includes security fix). Fixes #12548.

    • [bdubbs] - Archive fuse2.

  • September 16th, 2019

    • [bdubbs] - Update to yelp-3.34.0. Fixes #12523.

    • [bdubbs] - Update to gnome-user-docs-3.34.0. Partially fixes #12523.

    • [bdubbs] - Update to gdm-3.34.0. Partially fixes #12523.

    • [bdubbs] - Update to gnome-session-3.34.0. Partially fixes #12523.

    • [bdubbs] - Update to gnome-shell-extensions-3.34.0. Partially fixes #12523.

    • [bdubbs] - Update to gnome-shell-3.34.0. Partially fixes #12523.

    • [bdubbs] - Update to mutter-3.34.0. Partially fixes #12523.

    • [bdubbs] - Update to nautilus-3.34.0. Partially fixes #12523.

    • [bdubbs] - Update to gvfs-1.42.0. Partially fixes #12523.

    • [bdubbs] - Update to gnome-backgrounds-3.34.0. Partially fixes #12523.

    • [bdubbs] - Update to gnome-control-center-3.34.0.1. Partially fixes #12523.

    • [bdubbs] - Update to gnome-settings-daemon-3.34.0. Partially fixes #12523.

    • [bdubbs] - Update to gnome-bluetooth-3.34.0. Partially fixes #12523.

    • [bdubbs] - Update to dconf-editor-3.34.1. Partially fixes #12523.

    • [bdubbs] - Update to dconf-0.34.0. Partially fixes #12523.

  • September 16th, 2019

    • [bdubbs] - Update to folks-0.13.1. Partially fixes #12523.

    • [bdubbs] - Update to evolution-data-server-3.34.0. Partially fixes #12523.

    • [bdubbs] - Update to libpeas-1.24.0. Partially fixes #12523.

    • [bdubbs] - Update to grilo-0.3.10. Partially fixes #12523.

    • [bdubbs] - Update to gnome-online-accounts-3.34.0. Partially fixes #12523.

    • [bdubbs] - Update to gnome-desktop-3.34.0. Partially fixes #12523.

    • [bdubbs] - Update to yelp-xsl-3.34.0. Partially fixes #12523.

    • [bdubbs] - Update to vte-0.58.0. Partially fixes #12523.

    • [bdubbs] - Update to gsettings-desktop-schemas-3.34.0. Partially fixes #12523.

    • [renodr] - Update to Samba-4.10.8. Fixes #12476.

  • September 15th, 2019

    • [bdubbs] - Update to libical-3.0.6. Fixes #12537.

  • September 14th, 2019

    • [bdubbs] - Update to libXfont2-2.0.4 (Xorg library). Fixes #12536.

    • [bdubbs] - Update to pulseaudio-13.0. Fixes #12535.

    • [dj] - Added docbook-xml-5.0 and docbook-xml-5.1. Fixes #3717.

  • September 13th, 2019

    • [bdubbs] - Update to glm-0.9.9.6. Fixes #12505.

    • [bdubbs] - Update to mariadb-10.4.8. Fixes #12529.

    • [bdubbs] - Update to wireshark-3.0.4. Fixes #12526.

    • [timtas] - Update to dhcpcd-8.0.6. Fixes #12534.

    • [bdubbs] - Update to ModemManager-1.10.6. Fixes #12531.

    • [bdubbs] - Update to dbus-python-1.2.12 (Python module). Fixes #12532.

    • [bdubbs] - Update to libsoup-2.68.1. Fixes #12528.

    • [bdubbs] - Update to shared-mime-info-1.13.1. Fixes #12525.

    • [bdubbs] - Update to enchant-2.2.7. Fixes #12524.

  • September 12th, 2019

    • [bdubbs] - Update to webkitgtk-2.26.0. Fixes #12520.

    • [bdubbs] - Update to gtksourceview-4.4.0. Fixes #12519.

    • [bdubbs] - Update to librsvg-2.46.0. Fixes #12517.

    • [bdubbs] - Update to NetworkManager-1.20.2. Fixes #12485.

    • [timtas] - Update to thunderbird-68.1.0. Fixes #12530.

    • [timtas] - Update to curl-66.0. Fixes #12527.

  • September 11th, 2019

    • [bdubbs] - Update to libreoffice-6.3.1.2. Fixes #12493.

    • [dj] - Update to make-ca-1.5.

  • September 10th, 2019

    • [bdubbs] - Update to pyatspi-3.34.0 (python module). Fixes #12515.

    • [bdubbs] - Update to pygobject3-3.34.0 (python module). Fixes #12516.

    • [bdubbs] - Update to at-spi2-core-2.34.0 and at-spi2-atk-2.34.0. Fixes #12518.

    • [bdubbs] - Update to atk-2.34.1. Fixes #12521.

    • [bdubbs] - Update to libuv-v1.32.0. Fixes #12514.

    • [bdubbs] - Update to libblockdev-2.23. Fixes #12513.

    • [bdubbs] - Update to gobject-introspection-1.62.0. Fixes #12512.

    • [bdubbs] - Update to gdk-pixbuf-2.38.2. Fixes #12511.

    • [bdubbs] - Update to libqmi-1.22.6. Fixes #12509.

    • [bdubbs] - Update to ffmpeg-4.2.1. Fixes #12503.

  • September 9th, 2019

    • [bdubbs] - Update to apache-ant-1.10.7. Fixes #12495.

    • [bdubbs] - Update to gspell-1.8.2. Fixes #12497.

    • [bdubbs] - Update to Archive-Zip-1.65 (Perl module). Fixes #12510.

    • [bdubbs] - Update to qtwebengine-everywhere-src-5.13.1.

    • [bdubbs] - Update to qt-everywhere-src-5.13.1. Fixes #12492.

    • [bdubbs] - Update to glib-networking-2.62.0. Fixes #12506.

    • [bdubbs] - Update to mercurial-5.1.1. Fixes #12496.

    • [bdubbs] - Update to enchant-2.2.6. Fixes #12494.

    • [dj] - Replace PyCrypto with PyCryptodome. Fixes #12210.

  • September 8th, 2019

    • [dj] - Update to LSB-Tools-0.4.

    • [bdubbs] - Update to gjs-1.58.0. Fixes #12508.

    • [bdubbs] - Update to libmbim-1.20.0. Fixes #12499.

    • [bdubbs] - Update to dhcpcd-8.0.4. Fixes #12491.

    • [bdubbs] - Update to cmake-3.15.3. Fixes #12490.

    • [timtas] - Update to exim-4.92.2 Fixes #12500.

    • [bdubbs] - Update to libjpeg-turbo-2.0.3. Fixes #12489.

    • [bdubbs] - Update to talloc-2.3.0. Fixes #12488.

    • [bdubbs] - Update to btrfs-progs-v5.2.2. Fixes #12487.

    • [bdubbs] - Update to glib-2.62.0. Fixes #12486.

    • [bdubbs] - Update to vala-0.46.0. Fixes #12484.

    • [bdubbs] - Update to mesa-19.1.6. Fixes #12479.

    • [bdubbs] - Update to cups-filters-1.25.5. Fixes #12498.

    • [xry111] - Update to epiphany-3.32.5. Fixes #12504.

    • [dj] - Update to BLFS-Bootscripts-20190908. Fixes #12010.

  • September 7th, 2019

    • [xry111] - Update to libsecret-0.19.1. Fixes #12502.

  • September 6th, 2019

    • [bdubbs] - Update to libsecret-0.19.0. Fixes #12482.

    • [bdubbs] - Update to upower-0.99.11. Fixes #12478.

    • [bdubbs] - Update to gtk+-3.24.11. Fixes #12477.

    • [bdubbs] - Update to v4l-utils-1.16.7. Fixes #12474.

    • [bdubbs] - Update to librsvg-2.44.15. Fixes #12472.

    • [bdubbs] - Update to libmypaint-1.4.0. Fixes #12468.

    • [bdubbs] - Update to libogg-1.3.4. Fixes #12467.

    • [bdubbs] - Update to qpdf-9.0.0. Fixes #12466.

  • September 4th, 2019

    • [bdubbs] - Update to seamonkey-2.49.5. Fixes #12465.

    • [bdubbs] - Update to Net-DNS-1.21 (Perl Module). Fixes #12464.

    • [bdubbs] - Update to logrotate-3.15.1. Fixes #12462.

    • [bdubbs] - Update to php-7.3.9. Fixes #12460.

    • [bdubbs] - Update to links-2.20.1. Fixes #12457.

    • [bdubbs] - Update to emacs-26.3. Fixes #12454.

    • [renodr] - Update to glib-2.60.7. Fixes #12471.

    • [renodr] - Update to dbus-python-1.2.10 (Python Module). Fixes #12470.

    • [renodr] - Update to libnl-3.5.0. Fixes #12469.

    • [renodr] - Update to unrar-5.8.1. Fixes #12463.

    • [renodr] - Update to NSS-3.46. Fixes #12461.

    • [renodr] - Update to libusb-1.0.23. Fixes #12455.

    • [bdubbs] - Update to phonon-backend-vlc-4.11.0. Fixes #12451.

    • [bdubbs] - Update to phonon-backend-gstreamer-4.10.0. Fixes #12450.

    • [bdubbs] - Update to phonon-4.11.0. Fixes #12449.

  • September 3rd, 2019

    • [bdubbs] - Update to unbound-1.9.3. Fixes #12447.

    • [bdubbs] - Update to cbindgen-0.9.1. Fixes #12445.

    • [bdubbs] - Update to cups-2.3.0. Fixes #12439.

    • [bdubbs] - Update to ibus-1.5.21. Fixes #12437.

    • [bdubbs] - Update to boost-1.71.0. Fixes #12435.

    • [bdubbs] - Update to poppler-0.80.0. Fixes #12432.

    • [bdubbs] - Update to babl-0.1.72. Fixes #12430.

    • [ken] - Update to firefox-69.0 (includes security fixes and dbus-glib is now required). Fixes #12475.

  • September 2nd, 2019

    • [bdubbs] - Update to libevdev-1.8.0. Fixes #12446.

    • [bdubbs] - Update to libvdpau-1.3. Fixes #12453.

    • [bdubbs] - Update to font-util-1.3.2 (xorg fonts). Fixes #12443.

    • [bdubbs] - Update to libinput-1.14.1. Fixes #12442.

    • [bdubbs] - Update to mesa-19.1.5. Fixes #12434.

    • [bdubbs] - Update to harfbuzz-2.6.1. Fixes #12431.

    • [bdubbs] - Update to cups-filters-1.25.3. Fixes #12427.

    • [bdubbs] - Update to graphviz-2.42.1. Fixes #12421.

    • [bdubbs] - Update to swig-4.0.1. Fixes #12420.

    • [bdubbs] - Update to nspr-4.22. Fixes #12414.

    • [dj] - Replace Lsb_release and Initd-tools with LSB-Tools package.

    • [dj] - Begin update of bootscript headers. Partial fix for #12010.

    • [dj] - Remove unneeded elogind and mountcgroupfs bootscripts.

    • [dj] - Update to blfs-bootscripts-20190902.

  • September 1st, 2019

    • [bdubbs] - Release of BLFS-9.0.

Last updated on 2020-02-29 14:16:05 -0800

Mailing Lists

The linuxfromscratch.org server is hosting a number of mailing lists that are used for the development of the BLFS book. These lists include, among others, the main development and support lists.

For more information regarding which lists are available, how to subscribe to them, archive locations, etc., visit http://www.linuxfromscratch.org/mail.html.

Last updated on 2007-04-04 12:42:53 -0700

BLFS Wiki

The BLFS Project has created a Wiki for users to comment on pages and instructions at http://wiki.linuxfromscratch.org/blfs/wiki. Comments are welcome from all users.

The following are the rules for posting:

  • Users must register and log in to edit a page.

  • Suggestions to change the book should be made by creating a new ticket, not by making comments in the Wiki.

  • Questions with your specific installation problems should be made by subscribing and mailing to the BLFS Support Mailing List at mailto:blfs-support AT linuxfromscratch D0T org.

  • Discussions of build instructions should be made by subscribing and mailing to the BLFS Development List at mailto:blfs-dev AT linuxfromscratch D0T org.

  • Inappropriate material will be removed.

Last updated on 2007-04-04 12:42:53 -0700

Asking for Help and the FAQ

If you encounter a problem while using this book, and your problem is not listed in the FAQ (http://www.linuxfromscratch.org/faq), you will find that most of the people on Internet Relay Chat (IRC) and on the mailing lists are willing to help you. An overview of the LFS mailing lists can be found in Mailing lists. To assist us in diagnosing and solving your problem, include as much relevant information as possible in your request for help.

Things to Check Prior to Asking

Before asking for help, you should review the following items:

  • Is the hardware support compiled into the kernel or available as a module to the kernel? If it is a module, is it configured properly in modprobe.conf and has it been loaded? You should use lsmod as the root user to see if it's loaded. Check the sys.log file or run modprobe <driver> to review any error message. If it loads properly, you may need to add the modprobe command to your boot scripts.

  • Are your permissions properly set, especially for devices? LFS uses groups to make these settings easier, but it also adds the step of adding users to groups to allow access. A simple usermod -G audio <user> may be all that's necessary for that user to have access to the sound system. Any question that starts out with It works as root, but not as ... requires a thorough review of permissions prior to asking.

  • BLFS liberally uses /opt/<package>. The main objection to this centers around the need to expand your environment variables for each package placed there (e.g., PATH=$PATH:/opt/kde/bin). In most cases, the package instructions will walk you through the changes, but some will not. The section called Going Beyond BLFS is available to help you check.

Things to Mention

Apart from a brief explanation of the problem you're having, the essential things to include in your request are:

  • the version of the book you are using (being 9.1),

  • the package or section giving you problems,

  • the exact error message or symptom you are receiving,

  • whether you have deviated from the book or LFS at all,

  • if you are installing a BLFS package on a non-LFS system.

(Note that saying that you've deviated from the book doesn't mean that we won't help you. It'll just help us to see other possible causes of your problem.)

Expect guidance instead of specific instructions. If you are instructed to read something, please do so. It generally implies that the answer was way too obvious and that the question would not have been asked if a little research was done prior to asking. The volunteers in the mailing list prefer not to be used as an alternative to doing reasonable research on your end. In addition, the quality of your experience with BLFS is also greatly enhanced by this research, and the quality of volunteers is enhanced because they don't feel that their time has been abused, so they are far more likely to participate.

An excellent article on asking for help on the Internet in general has been written by Eric S. Raymond. It is available online at http://www.catb.org/~esr/faqs/smart-questions.html. Read and follow the hints in that document and you are much more likely to get a response to start with and also to get the help you actually need.

Last updated on 2009-09-24 22:43:37 -0700

Credits

Many people have contributed both directly and indirectly to BLFS. This page lists all of those we can think of. We may well have left people out and if you feel this is the case, drop us a line. Many thanks to all of the LFS community for their assistance with this project.

Current Editors

  • Bruce Dubbs

  • Pierre Labastie

  • DJ Lucas

  • Ken Moffat

  • Douglas Reno

Contributors and Past Editors

The list of contributors is far too large to provide detailed information about the contributions for each contributor. Over the years, the following individuals have provided significant inputs to the book:

  • Timothy Bauscher

  • Daniel Bauman

  • Jeff Bauman

  • Andy Benton

  • Wayne Blaszczyk

  • Paul Campbell

  • Nathan Coulson

  • Jeroen Coumans

  • Guy Dalziel

  • Robert Daniels

  • Richard Downing

  • Manuel Canales Esparcia

  • Jim Gifford

  • Manfred Glombowski

  • Ag Hatzimanikas

  • Mark Hymers

  • James Iwanek

  • David Jensen

  • Jeremy Jones

  • Seth Klein

  • Alex Kloss

  • Eric Konopka

  • Larry Lawrence

  • Chris Lynn

  • Andrew McMurry

  • Randy McMurchy

  • Denis Mugnier

  • Billy O'Connor

  • Fernando de Oliveira

  • Alexander Patrakov

  • Olivier Peres

  • Andreas Pedersen

  • Henning Rohde

  • Matt Rogers

  • James Robertson

  • Henning Rohde

  • Chris Staub

  • Jesse Tie-Ten-Quee

  • Ragnar Thomsen

  • Thomas Trepl

  • Tushar Teredesai

  • Jeremy Utley

  • Zack Winkles

  • Christian Wurst

  • Igor Živković

General Acknowledgments

  • Fernando Arbeiza

  • Miguel Bazdresch

  • Gerard Beekmans

  • Oliver Brakmann

  • Jeremy Byron

  • Ian Chilton

  • David Ciecierski

  • Jim Harris

  • Lee Harris

  • Marc Heerdink

  • Steffen Knollmann

  • Eric Konopka

  • Scot McPherson

  • Ted Riley

Last updated on 2018-09-01 14:51:57 -0700

Contact Information

Please direct your emails to one of the BLFS mailing lists. See Mailing lists for more information on the available mailing lists.

Last updated on 2012-02-05 21:15:51 -0800

Chapter 2. Important Information

This chapter is used to explain some of the policies used throughout the book, to introduce important concepts and to explain some issues you may see with some of the included packages.

Notes on Building Software

Those people who have built an LFS system may be aware of the general principles of downloading and unpacking software. Some of that information is repeated here for those new to building their own software.

Each set of installation instructions contains a URL from which you can download the package. The patches; however, are stored on the LFS servers and are available via HTTP. These are referenced as needed in the installation instructions.

While you can keep the source files anywhere you like, we assume that you have unpacked the package and changed into the directory created by the unpacking process (the 'build' directory). We also assume you have uncompressed any required patches and they are in the directory immediately above the 'build' directory.

We can not emphasize strongly enough that you should start from a clean source tree each time. This means that if you have had an error during configuration or compilation, it's usually best to delete the source tree and re-unpack it before trying again. This obviously doesn't apply if you're an advanced user used to hacking Makefiles and C code, but if in doubt, start from a clean tree.

Building Software as an Unprivileged (non-root) User

The golden rule of Unix System Administration is to use your superpowers only when necessary. Hence, BLFS recommends that you build software as an unprivileged user and only become the root user when installing the software. This philosophy is followed in all the packages in this book. Unless otherwise specified, all instructions should be executed as an unprivileged user. The book will advise you on instructions that need root privileges.

Unpacking the Software

If a file is in .tar format and compressed, it is unpacked by running one of the following commands:

tar -xvf filename.tar.gz
tar -xvf filename.tgz
tar -xvf filename.tar.Z
tar -xvf filename.tar.bz2

Note

You may omit using the v parameter in the commands shown above and below if you wish to suppress the verbose listing of all the files in the archive as they are extracted. This can help speed up the extraction as well as make any errors produced during the extraction more obvious to you.

You can also use a slightly different method:

bzcat filename.tar.bz2 | tar -xv

Finally, you sometimes need to be able to unpack patches which are generally not in .tar format. The best way to do this is to copy the patch file to the parent of the 'build' directory and then run one of the following commands depending on whether the file is a .gz or .bz2 file:

gunzip -v patchname.gz
bunzip2 -v patchname.bz2

Verifying File Integrity Using 'md5sum'

Generally, to verify that the downloaded file is genuine and complete, many package maintainers also distribute md5sums of the files. To verify the md5sum of the downloaded files, download both the file and the corresponding md5sum file to the same directory (preferably from different on-line locations), and (assuming file.md5sum is the md5sum file downloaded) run the following command:

md5sum -c file.md5sum

If there are any errors, they will be reported. Note that the BLFS book includes md5sums for all the source files also. To use the BLFS supplied md5sums, you can create a file.md5sum (place the md5sum data and the exact name of the downloaded file on the same line of a file, separated by white space) and run the command shown above. Alternately, simply run the command shown below and compare the output to the md5sum data shown in the BLFS book.

md5sum <name_of_downloaded_file>

Creating Log Files During Installation

For larger packages, it is convenient to create log files instead of staring at the screen hoping to catch a particular error or warning. Log files are also useful for debugging and keeping records. The following command allows you to create an installation log. Replace <command> with the command you intend to execute.

( <command> 2>&1 | tee compile.log && exit $PIPESTATUS )

2>&1 redirects error messages to the same location as standard output. The tee command allows viewing of the output while logging the results to a file. The parentheses around the command run the entire command in a subshell and finally the exit $PIPESTATUS command ensures the result of the <command> is returned as the result and not the result of the tee command.

Using Multiple Processors

For many modern systems with multiple processors (or cores) the compilation time for a package can be reduced by performing a "parallel make" by either setting an environment variable or telling the make program how many processors are available. For instance, a Core2Duo can support two simultaneous processes with:

export MAKEFLAGS='-j2'

or just building with:

make -j2

Generally the number of processes should not exceed the number of cores supported by the CPU. To list the processors on your system, issue: grep processor /proc/cpuinfo.

In some cases, using multiple processors may result in a 'race' condition where the success of the build depends on the order of the commands run by the make program. For instance, if an executable needs File A and File B, attempting to link the program before one of the dependent components is available will result in a failure. This condition usually arises because the upstream developer has not properly designated all the prerequisites needed to accomplish a step in the Makefile.

If this occurs, the best way to proceed is to drop back to a single processor build. Adding '-j1' to a make command will override the similar setting in the MAKEFLAGS environment variable.

Note

When running the package tests or the install portion of the package build process, we do not recommend using an option greater than '-j1' unless specified otherwise. The installation procedures or checks have not been validated using parallel procedures and may fail with issues that are difficult to debug.

Automated Building Procedures

There are times when automating the building of a package can come in handy. Everyone has their own reasons for wanting to automate building, and everyone goes about it in their own way. Creating Makefiles, Bash scripts, Perl scripts or simply a list of commands used to cut and paste are just some of the methods you can use to automate building BLFS packages. Detailing how and providing examples of the many ways you can automate the building of packages is beyond the scope of this section. This section will expose you to using file redirection and the yes command to help provide ideas on how to automate your builds.

File Redirection to Automate Input

You will find times throughout your BLFS journey when you will come across a package that has a command prompting you for information. This information might be configuration details, a directory path, or a response to a license agreement. This can present a challenge to automate the building of that package. Occasionally, you will be prompted for different information in a series of questions. One method to automate this type of scenario requires putting the desired responses in a file and using redirection so that the program uses the data in the file as the answers to the questions.

Building the CUPS package is a good example of how redirecting a file as input to prompts can help you automate the build. If you run the test suite, you are asked to respond to a series of questions regarding the type of test to run and if you have any auxiliary programs the test can use. You can create a file with your responses, one response per line, and use a command similar to the one shown below to automate running the test suite:

make check < ../cups-1.1.23-testsuite_parms

This effectively makes the test suite use the responses in the file as the input to the questions. Occasionally you may end up doing a bit of trial and error determining the exact format of your input file for some things, but once figured out and documented you can use this to automate building the package.

Using yes to Automate Input

Sometimes you will only need to provide one response, or provide the same response to many prompts. For these instances, the yes command works really well. The yes command can be used to provide a response (the same one) to one or more instances of questions. It can be used to simulate pressing just the Enter key, entering the Y key or entering a string of text. Perhaps the easiest way to show its use is in an example.

First, create a short Bash script by entering the following commands:

cat > blfs-yes-test1 << "EOF"
#!/bin/bash

echo -n -e "\n\nPlease type something (or nothing) and press Enter ---> "

read A_STRING

if test "$A_STRING" = ""; then A_STRING="Just the Enter key was pressed"
else A_STRING="You entered '$A_STRING'"
fi

echo -e "\n\n$A_STRING\n\n"
EOF
chmod 755 blfs-yes-test1

Now run the script by issuing ./blfs-yes-test1 from the command line. It will wait for a response, which can be anything (or nothing) followed by the Enter key. After entering something, the result will be echoed to the screen. Now use the yes command to automate the entering of a response:

yes | ./blfs-yes-test1

Notice that piping yes by itself to the script results in y being passed to the script. Now try it with a string of text:

yes 'This is some text' | ./blfs-yes-test1

The exact string was used as the response to the script. Finally, try it using an empty (null) string:

yes '' | ./blfs-yes-test1

Notice this results in passing just the press of the Enter key to the script. This is useful for times when the default answer to the prompt is sufficient. This syntax is used in the Net-tools instructions to accept all the defaults to the many prompts during the configuration step. You may now remove the test script, if desired.

File Redirection to Automate Output

In order to automate the building of some packages, especially those that require you to read a license agreement one page at a time, requires using a method that avoids having to press a key to display each page. Redirecting the output to a file can be used in these instances to assist with the automation. The previous section on this page touched on creating log files of the build output. The redirection method shown there used the tee command to redirect output to a file while also displaying the output to the screen. Here, the output will only be sent to a file.

Again, the easiest way to demonstrate the technique is to show an example. First, issue the command:

ls -l /usr/bin | more

Of course, you'll be required to view the output one page at a time because the more filter was used. Now try the same command, but this time redirect the output to a file. The special file /dev/null can be used instead of the filename shown, but you will have no log file to examine:

ls -l /usr/bin | more > redirect_test.log 2>&1

Notice that this time the command immediately returned to the shell prompt without having to page through the output. You may now remove the log file.

The last example will use the yes command in combination with output redirection to bypass having to page through the output and then provide a y to a prompt. This technique could be used in instances when otherwise you would have to page through the output of a file (such as a license agreement) and then answer the question of do you accept the above?. For this example, another short Bash script is required:

cat > blfs-yes-test2 << "EOF"
#!/bin/bash

ls -l /usr/bin | more

echo -n -e "\n\nDid you enjoy reading this? (y,n) "

read A_STRING

if test "$A_STRING" = "y"; then A_STRING="You entered the 'y' key"
else A_STRING="You did NOT enter the 'y' key"
fi

echo -e "\n\n$A_STRING\n\n"
EOF
chmod 755 blfs-yes-test2

This script can be used to simulate a program that requires you to read a license agreement, then respond appropriately to accept the agreement before the program will install anything. First, run the script without any automation techniques by issuing ./blfs-yes-test2.

Now issue the following command which uses two automation techniques, making it suitable for use in an automated build script:

yes | ./blfs-yes-test2 > blfs-yes-test2.log 2>&1

If desired, issue tail blfs-yes-test2.log to see the end of the paged output, and confirmation that y was passed through to the script. Once satisfied that it works as it should, you may remove the script and log file.

Finally, keep in mind that there are many ways to automate and/or script the build commands. There is not a single correct way to do it. Your imagination is the only limit.

Dependencies

For each package described, BLFS lists the known dependencies. These are listed under several headings, whose meaning is as follows:

  • Required means that the target package cannot be correctly built without the dependency having first been installed.

  • Recommended means that BLFS strongly suggests this package is installed first for a clean and trouble-free build, that won't have issues either during the build process, or at run-time. The instructions in the book assume these packages are installed. Some changes or workarounds may be required if these packages are not installed.

  • Optional means that this package might be installed for added functionality. Often BLFS will describe the dependency to explain the added functionality that will result.

Using the Most Current Package Sources

On occasion you may run into a situation in the book when a package will not build or work properly. Though the Editors attempt to ensure that every package in the book builds and works properly, sometimes a package has been overlooked or was not tested with this particular version of BLFS.

If you discover that a package will not build or work properly, you should see if there is a more current version of the package. Typically this means you go to the maintainer's web site and download the most current tarball and attempt to build the package. If you cannot determine the maintainer's web site by looking at the download URLs, use Google and query the package's name. For example, in the Google search bar type: 'package_name download' (omit the quotes) or something similar. Sometimes typing: 'package_name home page' will result in you finding the maintainer's web site.

Stripping One More Time

In LFS, stripping of debugging symbols was discussed a couple of times. When building BLFS packages, there are generally no special instructions that discuss stripping again. It is probably not a good idea to strip an executable or a library while it is in use, so exiting any windowing environment is a good idea. Then you can do:

find /{,usr/}{bin,lib,sbin} \
    -type f \( -name \*.so* -a ! -name \*dbg \) \
    -exec strip --strip-unneeded {} \;

If you install programs in other directories such as /opt or /usr/local, you may want to strip the files there too.

For more information on stripping, see http://www.technovelty.org/linux/stripping-shared-libraries.html.

Working with different build systems

There are now three different build systems in common use for converting C or C++ source code into compiled programs or libraries and their details (particularly, finding out about available options and their default values) differ. It may be easiest to understand the issues caused by some choices (typically slow execution or unexpected use of, or omission of, optimizatons) by starting with the CFLAGS and CXXFLAGS environment variables. There are also some programs which use rust.

Most LFS and BLFS builders are probably aware of the basics of CFLAGS and CXXFLAGS for altering how a program is compiled. Typically, some form of optimization is used by upstream developers (-O2 or -O3), sometimes with the creation of debug symbols (-g), as defaults.

If there are contradictory flags (e.g. multiple different -O values), the last value will be used. Sometimes this means that flags specified in environment variables will be picked up before values hardcoded in the Makefile, and therefore ignored. For example, where a user specifies '-O2' and that is followed by '-O3' the build will use '-O3'.

There are various other things which can be passed in CFLAGS or CXXFLAGS, such as forcing compilation for a specific microarchitecture (e.g. -march=amdfam10, -march=native) or specifying a specific standard for C or C++ (-std=c++17 for example). But one thing which has now come to light is that programmers might include debug assertions in their code, expecting them to be disabled in releases by using -DNDEBUG. Specifically, if Mesa-19.3.4 is built with these assertions enabled, some activities such as loading levels of games can take extremely long times, even on high-class video cards.

Autotools with Make

This combination is often described as 'CMMI' (configure, make, make install) and is used here to also cover the few packages which have a configure script that is not generated by autotools.

Sometimes running ./configure --help will produce useful options about switches which might be used. At other times, after looking at the output from configure you may need to look at the details of the script to find out what it was actually searching for.

Many configure scripts will pick up any CFLAGS or CXXFLAGS from the environment, but CMMI packages vary about how these will be mixed with any flags which would otherwise be used (variously: ignored, used to replace the programmer's suggestion, used before the programmer's suggestion, or used after the programmer's suggestion).

In most CMMI packages, running 'make' will list each command and run it, interspersed with any warnings. But some packages try to be 'silent' and only show which file they are compiling or linking instead of showing the command line. If you need to inspect the command, either because of an error, or just to see what options and flags are being used, adding 'V=1' to the make invocation may help.

CMake

CMake works in a very different way, and it has two backends which can be used on BLFS: 'make' and 'ninja'. The default backend is make, but ninja can be faster on large packages with multiple processors. To use ninja, specify '-G Ninja' in the cmake command. However, there are some packages which create fatal errors in their ninja files but build successfully using the default of Unix Makefiles.

The hardest part of using CMake is knowing what options you might wish to specify. The only way to get a list of what the package knows about is to run cmake -LAH and look at the output for that default configuration.

Perhaps the most-important thing about CMake is that it has a variety of CMAKE_BUILD_TYPE values, and these affect the flags. The default is that this is not set and no flags are generated. Any CFLAGS or CXXFLAGS in the environment will be used. If the programmer has coded any debug assertions, those will be enabled unless -DNDEBUG is used. The following CMAKE_BUILD_TYPE values will generate the flags shown, and these will come after any flags in the environment and therefore take precedence.

  • Debug : '-g'

  • Release : '-O3 -DNDEBUG'

  • RelWithDebInfo : '-O2 -g -DNDEBUG'

  • MinSizeRel : '-Os -DNDEBUG'

CMake tries to produce quiet builds. To see the details of the commands which are being run, use 'make VERBOSE=1' or 'ninja -v'.

Meson

Meson has some similarities to CMake, but many differences. To get details of the defines that you may wish to change you can look at meson_options.txt which is usually in the top-level directory.

If you have already configured the package by running meson and now wish to change one or more settings, you can either remove the build directory, recreate it, and use the altered options, or within the build directory run meson configure, e.g. to set an option:

meson configure -D<some_option>=true

If you do that, the file meson-private/cmd_line.txt will show the last commands which were used.

Meson provides the following buildtype values, and the flags they enable come after any flags supplied in the environment and therefore take precedence.

  • plain : no added flags. This is for distributors to supply their own CLFAGS, CXXFLAGS and LDFLAGS. There is no obvious reason to use this in BLFS.

  • debug : '-g'

  • debugoptimized : '-O2 -g' - this is the default if nothing is specified, it leaves assertions enabled.

  • release : '-O3 -DNDEBUG' (but occasionally a package will force -O2 here)

Although the 'release' buildtype is described as enabling -DNDEBUG, and all CMake Release builds pass that, it has so far only been observed (in verbose builds) for Mesa-19.3.4. That suggests that it might only be used when there are debug assertions present.

The -DNDEBUG flag can also be provided by passing -Db_ndebug=true.

To see the details of the commands which are being run in a package using meson, use 'ninja -v'.

Rustc and Cargo

Most released rustc programs are provided as crates (source tarballs) which will query a server to check current versions of dependencies and then download them as necessary. These packages are built using cargo --release. In theory, you can manipulate the RUSTFLAGS to change the optimize-level (default is 3, like -O3, e.g. -Copt-level=3) or to force it to build for the machine it is being compiled on, using -Ctarget-cpu=native but in practice this seems to make no significant difference.

If you find an interesting rustc program which is only provided as unpackaged source, you should at least specify RUSTFLAGS=-Copt-level=2 otherwise it will do an unoptimized compile with debug info and run much slower.

Optimizing the build

Many people will prefer to optimize compiles as they see fit, by providing CFLAGS or CXXFLAGS. For an introduction to the options available with gcc and g++ see https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html and https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html and info gcc.

Some packages default to '-O2 -g', others to '-O3 -g', and if CFLAGS or CXXFLAGS are supplied they might be added to the package's defaults, replace the package's defaults, or even be ignored. There are details on some desktop packages which were mostly current in April 2019 at http://www.linuxfromscratch.org/~ken/tuning/ - in particular, README.txt, tuning-1-packages-and-notes.txt, and tuning-notes-2B.txt. The particular thing to remember is that if you want to try some of the more interesting flags you may need to force verbose builds to confirm what is being used.

Clearly, if you are optimizing your own program you can spend time to profile it and perhaps recode some of it if it is too slow. But for building a whole system that approach is impractical. In general, -O3 usually produces faster programs than -O2. Specifying -march=native is also beneficial, but means that you cannot move the binaries to an incompatible machine - this can also apply to newer machines, not just to older machines. For example programs compiled for 'amdfam10' run on old Phenoms, Kaveris, and Ryzens : but programs compiled for a Kaveri will not run on a Ryzen because certain op-codes are not present. Similarly, if you build for a Haswell not everything will run on a SandyBridge.

There are also various other options which some people claim are beneficial. At worst, you get to recompile and test, and then discover that in your usage the options do not provide a benefit.

If building Perl or Python modules, or Qt packages which use qmake, in general the CFLAGS and CXXFLAGS used are those which were used by those 'parent' packages.

Options for hardening the build

Even on desktop systems, there are still a lot of exploitable vulnerabilities. For many of these, the attack comes via javascript in a browser. Often, a series of vulnerabilities are used to gain access to data (or sometimes to pwn, i.e. own, the machine and install rootkits). Most commercial distros will apply various hardening measures.

For hardening options which are reasonably cheap, there is some discussion in the 'tuning' link above (occasionally, one or more of these options might be inappropriate for a package). These options are -D_FORTIFY_SOURCE=2, -fstack-protector=strong, and (for C++) -D_GLIBCXX_ASSERTIONS. On modern machines these should only have a little impact on how fast things run, and often they will not be noticeable.

In the past, there was Hardened LFS where gcc (a much older version) was forced to use hardening (with options to turn some of it off on a per-package basis. What is being covered here is different - first you have to make sure that the package is indeed using your added flags and not over-riding them.

The main distros use much more, such as RELRO (Relocation Read Only) and perhaps -fstack-clash-protection. You may also encounter the so-called 'userspace retpoline' (-mindirect-branch=thunk etc.) which is the equivalent of the spectre mitigations applied to the linux kernel in late 2018). The kernel mitigations caused a lot of complaints about lost performance, if you have a production server you might wish to consider testing that, along with the other available options, to see if performance is still sufficient.

Whilst gcc has many hardening options, clang/LLVM's strengths lie elsewhere. Some options which gcc provides are said to be less effective in clang/LLVM, others are not available.

Last updated on 2020-02-22 19:55:40 -0800

The /usr Versus /usr/local Debate

Should I install XXX in /usr or /usr/local?

This is a question without an obvious answer for an LFS based system.

In traditional Unix systems, /usr usually contains files that come with the system distribution, and the /usr/local tree is free for the local administrator to manage. The only really hard and fast rule is that Unix distributions should not touch /usr/local, except perhaps to create the basic directories within it.

With Linux distributions like Red Hat, Debian, etc., a possible rule is that /usr is managed by the distribution's package system and /usr/local is not. This way the package manager's database knows about every file within /usr.

LFS users build their own system and so deciding where the system ends and local files begin is not straightforward. So the choice should be made in order to make things easier to administer. There are several reasons for dividing files between /usr and /usr/local.

  • On a network of several machines all running LFS, or mixed LFS and other Linux distributions, /usr/local could be used to hold packages that are common between all the computers in the network. It can be NFS mounted or mirrored from a single server. Here local indicates local to the site.

  • On a network of several computers all running an identical LFS system, /usr/local could hold packages that are different between the machines. In this case local refers to the individual computers.

  • Even on a single computer, /usr/local can be useful if you have several distributions installed simultaneously, and want a place to put packages that will be the same on all of them.

  • Or you might regularly rebuild your LFS, but want a place to put files that you don't want to rebuild each time. This way you can wipe the LFS file system and start from a clean partition every time without losing everything.

Some people ask why not use your own directory tree, e.g., /usr/site, rather than /usr/local?

There is nothing stopping you, many sites do make their own trees, however it makes installing new software more difficult. Automatic installers often look for dependencies in /usr and /usr/local, and if the file it is looking for is in /usr/site instead, the installer will probably fail unless you specifically tell it where to look.

What is the BLFS position on this?

All of the BLFS instructions install programs in /usr with optional instructions to install into /opt for some specific packages.

Last updated on 2007-04-04 12:42:53 -0700

Optional Patches

As you follow the various sections in the book, you will observe that the book occasionally includes patches that are required for a successful and secure installation of the packages. The general policy of the book is to include patches that fall in one of the following criteria:

  • Fixes a compilation problem.

  • Fixes a security problem.

  • Fixes a broken functionality.

In short, the book only includes patches that are either required or recommended. There is a Patches subproject which hosts various patches (including the patches referenced in the books) to enable you to configure your LFS the way you like it.

Last updated on 2007-04-04 12:42:53 -0700

BLFS Boot Scripts

The BLFS Bootscripts package contains the init scripts that are used throughout the book. It is assumed that you will be using the BLFS Bootscripts package in conjunction with a compatible LFS-Bootscripts package. Refer to ../../../../lfs/view/9.1/chapter07/bootscripts.html for more information on the LFS-Bootscripts package.

The BLFS Bootscripts package will be used throughout the BLFS book for startup scripts. Unlike LFS, each init script has a separate install target in the BLFS Bootscripts package. It is recommended you keep the package source directory around until completion of your BLFS system. When a script is requested from BLFS Bootscripts, simply change to the directory and as the root user, execute the given make install-<init-script> command. This command installs the init script to its proper location (along with any auxiliary configuration scripts) and also creates the appropriate symlinks to start and stop the service at the appropriate run-level.

Note

You should review each bootscript before installation to ascertain that it satisfies your need. Also verify that the start and stop symlinks it creates match your preferences.

Note

From time to time the bootscripts are updated to accommodate new packages or to make minor corrections. All versions of the bootscripts are located at http://anduin.linuxfromscratch.org/BLFS/blfs-bootscripts/.

Last updated on 2016-08-28 02:28:15 -0700

About Libtool Archive (.la) files

Files with a .la extention

In LFS we installed a package, libtool, that is used by many packages to build on a variety of Unix platforms. This includes platforms such as AIX, Solaris, IRIX, HP-UX, and Cygwin as well as Linux. The origins of this tool are quite dated. It was intended to manage libraries on systems with less advanced capabilities than a modern Linux system.

On a Linux system, libtool specific files are generally unneeded. Normally libraries are specified in the build process during the link phase. Since a linux system uses the Executable and Linkable Format (ELF) for executables and libraries, information needed to complete the task is embedded in the files. At run time the program loader can query the appropriate files and properly load and execute the program.

The problem is that libtool usually creates one or more text files for package libraries called libtool archives. These small files have a ".la" extention and contain information that is similar to that embedded in the libraries. When building a package that uses libtool, the process automatically looks for these files. If a package is updated and no longer uses the .la file, then the build process can break.

The solution is to remove the .la files. However there is a catch. Some packages, such as ImageMagick-7.0.9-23, use a libtool function, lt_dlopen, to load libraries as needed during execution and resolve their dependencies at run time. In this case, the .la files should remain.

The script below, removes all unneeded .la files and saves them in a directory, /var/local/la-files by default, not in the normal library path. It also searches all pkg-config files (.pc) for embedded references to .la files and fixes them to be conventional library references needed when an application or library is built. It can be run as needed to clean up the directories that may be causing problems.

cat > /usr/sbin/remove-la-files.sh << "EOF"
#!/bin/bash

# /usr/sbin/remove-la-files.sh
# Written for Beyond Linux From Scratch
# by Bruce Dubbs <[email protected]>

# Make sure we are running with root privs
if test "${EUID}" -ne 0; then
    echo "Error: $(basename ${0}) must be run as the root user! Exiting..."
    exit 1
fi

# Make sure PKG_CONFIG_PATH is set if discarded by sudo
source /etc/profile

OLD_LA_DIR=/var/local/la-files

mkdir -p $OLD_LA_DIR

# Only search directories in /opt, but not symlinks to directories
OPTDIRS=$(find /opt -mindepth 1 -maxdepth 1 -type d)

# Move any found .la files to a directory out of the way
find /usr/lib $OPTDIRS -name "*.la" ! -path "/usr/lib/ImageMagick*" \
  -exec mv -fv {} $OLD_LA_DIR \;
###############

# Fix any .pc files that may have .la references

STD_PC_PATH='/usr/lib/pkgconfig 
             /usr/share/pkgconfig 
             /usr/local/lib/pkgconfig 
             /usr/local/share/pkgconfig'

# For each directory that can have .pc files
for d in $(echo $PKG_CONFIG_PATH | tr : ' ') $STD_PC_PATH; do

  # For each pc file
  for pc in $d/*.pc ; do
    if [ $pc == "$d/*.pc" ]; then continue; fi

    # Check each word in a line with a .la reference
    for word in $(grep '\.la' $pc); do
      if $(echo $word | grep -q '.la$' ); then
        mkdir -p $d/la-backup
        cp -fv  $pc $d/la-backup

        basename=$(basename $word )
        libref=$(echo $basename|sed -e 's/^lib/-l/' -e 's/\.la$//')
           
        # Fix the .pc file
        sed -i "s:$word:$libref:" $pc
      fi
    done
  done
done

EOF

chmod +x /usr/sbin/remove-la-files.sh

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/la-files

Last updated on 2017-12-23 07:56:03 -0800

Libraries: Static or shared?

Libraries: Static or shared?

The original libraries were simply an archive of routines from which the required routines were extracted and linked into the executable program. These are described as static libraries (libfoo.a). On some old operating systems they are the only type available.

On almost all Linux platforms there are also shared libraries (libfoo.so) - one copy of the library is loaded into virtual memory, and shared by all the programs which call any of its functions. This is space efficient.

In the past, essential programs such as a shell were often linked statically so that some form of minimal recovery system would exist even if shared libraries, such as libc.so, became damaged (e.g. moved to lost+found after fsck following an unclean shutdown). Nowadays, most people use an alternative system install or a Live CD if they have to recover. Journaling filesystems also reduce the likelihood of this sort of problem.

Developers, at least while they are developing, often prefer to use static versions of the libraries which their code links to.

Within the book, there are various places where configure switches such as --disable-static are employed, and other places where the possibility of using system versions of libraries instead of the versions included within another package is discussed. The main reason for this is to simplify updates of libraries.

If a package is linked to a dynamic library, updating to a newer library version is automatic once the newer library is installed and the program is (re)started (provided the library major version is unchanged, e.g. going from libfoo.so.2.0 to libfoo.so.2.1. Going to libfoo.so.3 will require recompilation - ldd can be used to find which programs use the old version). If a program is linked to a static library, the program always has to be recompiled. If you know which programs are linked to a particular static library, this is merely an annoyance. But usually you will not know which programs to recompile.

Most libraries are shared, but if you do something unusual, such as moving a shared library to /lib accidentally breaking the .so symlink in /usr/lib while keeping the static library in /lib, the static library will be silently linked into the programs which need it.

One way to identify when a static library is used, is to deal with it at the end of the installation of every package. Write a script to find all the static libraries in /usr/lib or wherever you are installing to, and either move them to another directory so that they are no longer found by the linker, or rename them so that libfoo.a becomes e.g. libfoo.a.hidden. The static library can then be temporarily restored if it is ever needed, and the package needing it can be identified. You may choose to exclude some of the static libraries from glibc if you do this (libc_nonshared.a, libg.a, libieee.a, libm.a, libpthread_nonshared.a, librpcsvc.a, libsupc++.a) to simplify compilation.

If you use this approach, you may discover that more packages than you were expecting use a static library. That was the case with nettle-2.4 in its default static-only configuration: It was required by GnuTLS-3.0.19, but also linked into package(s) which used GnuTLS, such as glib-networking-2.32.3.

Many packages put some of their common functions into a static library which is only used by the programs within the package and, crucially, the library is not installed as a standalone library. These internal libraries are not a problem - if the package has to be rebuilt to fix a bug or vulnerability, nothing else is linked to them.

When BLFS mentions system libraries, it means shared versions of libraries. Some packages such as Firefox-68.5.0 and ghostscript-9.50 include many other libraries. When they link to them, they link statically so this also makes the programs bigger. The version they ship is often older than the version used in the system, so it may contain bugs - sometimes developers go to the trouble of fixing bugs in their included libraries, other times they do not.

Sometimes, deciding to use system libraries is an easy decision. Other times it may require you to alter the system version (e.g. for libpng-1.6.37 if used for Firefox-68.5.0). Occasionally, a package ships an old library and can no longer link to the current version, but can link to an older version. In this case, BLFS will usually just use the shipped version. Sometimes the included library is no longer developed separately, or its upstream is now the same as the package's upstream and you have no other packages which will use it. In those cases, you might decide to use the included static library even if you usually prefer to use system libraries.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/libraries

Last updated on 2015-09-20 15:38:20 -0700

Locale Related Issues

This page contains information about locale related problems and issues. In the following paragraphs you'll find a generic overview of things that can come up when configuring your system for various locales. Many (but not all) existing locale related problems can be classified and fall under one of the headings below. The severity ratings below use the following criteria:

  • Critical: The program doesn't perform its main function. The fix would be very intrusive, it's better to search for a replacement.

  • High: Part of the functionality that the program provides is not usable. If that functionality is required, it's better to search for a replacement.

  • Low: The program works in all typical use cases, but lacks some functionality normally provided by its equivalents.

If there is a known workaround for a specific package, it will appear on that package's page. For the most recent information about locale related issues for individual packages, check the User Notes in the BLFS Wiki.

The Needed Encoding is Not a Valid Option in the Program

Severity: Critical

Some programs require the user to specify the character encoding for their input or output data and present only a limited choice of encodings. This is the case for the -X option in a2ps-4.14 and Enscript-1.6.6, the -input-charset option in unpatched Cdrtools-3.02a09, and the character sets offered for display in the menu of Links-2.20.2. If the required encoding is not in the list, the program usually becomes completely unusable. For non-interactive programs, it may be possible to work around this by converting the document to a supported input character set before submitting to the program.

A solution to this type of problem is to implement the necessary support for the missing encoding as a patch to the original program or to find a replacement.

The Program Assumes the Locale-Based Encoding of External Documents

Severity: High for non-text documents, low for text documents

Some programs, nano-4.8 or JOE-4.6 for example, assume that documents are always in the encoding implied by the current locale. While this assumption may be valid for the user-created documents, it is not safe for external ones. When this assumption fails, non-ASCII characters are displayed incorrectly, and the document may become unreadable.

If the external document is entirely text based, it can be converted to the current locale encoding using the iconv program.

For documents that are not text-based, this is not possible. In fact, the assumption made in the program may be completely invalid for documents where the Microsoft Windows operating system has set de facto standards. An example of this problem is ID3v1 tags in MP3 files (see the BLFS Wiki ID3v1Coding page for more details). For these cases, the only solution is to find a replacement program that doesn't have the issue (e.g., one that will allow you to specify the assumed document encoding).

Among BLFS packages, this problem applies to nano-4.8, JOE-4.6, and all media players except Audacious-3.10.1.

Another problem in this category is when someone cannot read the documents you've sent them because their operating system is set up to handle character encodings differently. This can happen often when the other person is using Microsoft Windows, which only provides one character encoding for a given country. For example, this causes problems with UTF-8 encoded TeX documents created in Linux. On Windows, most applications will assume that these documents have been created using the default Windows 8-bit encoding.

In extreme cases, Windows encoding compatibility issues may be solved only by running Windows programs under Wine.

The Program Uses or Creates Filenames in the Wrong Encoding

Severity: Critical

The POSIX standard mandates that the filename encoding is the encoding implied by the current LC_CTYPE locale category. This information is well-hidden on the page which specifies the behavior of Tar and Cpio programs. Some programs get it wrong by default (or simply don't have enough information to get it right). The result is that they create filenames which are not subsequently shown correctly by ls, or they refuse to accept filenames that ls shows properly. For the GLib-2.62.4 library, the problem can be corrected by setting the G_FILENAME_ENCODING environment variable to the special "@locale" value. Glib2 based programs that don't respect that environment variable are buggy.

The Zip-3.0 and UnZip-6.0 have this problem because they hard-code the expected filename encoding. UnZip contains a hard-coded conversion table between the CP850 (DOS) and ISO-8859-1 (UNIX) encodings and uses this table when extracting archives created under DOS or Microsoft Windows. However, this assumption only works for those in the US and not for anyone using a UTF-8 locale. Non-ASCII characters will be mangled in the extracted filenames.

The general rule for avoiding this class of problems is to avoid installing broken programs. If this is impossible, the convmv command-line tool can be used to fix filenames created by these broken programs, or intentionally mangle the existing filenames to meet the broken expectations of such programs.

In other cases, a similar problem is caused by importing filenames from a system using a different locale with a tool that is not locale-aware (e.g., OpenSSH-8.2p1). In order to avoid mangling non-ASCII characters when transferring files to a system with a different locale, any of the following methods can be used:

  • Transfer anyway, fix the damage with convmv.

  • On the sending side, create a tar archive with the --format=posix switch passed to tar (this will be the default in a future version of tar).

  • Mail the files as attachments. Mail clients specify the encoding of attached filenames.

  • Write the files to a removable disk formatted with a FAT or FAT32 filesystem.

  • Transfer the files using Samba.

  • Transfer the files via FTP using RFC2640-aware server (this currently means only wu-ftpd, which has bad security history) and client (e.g., lftp).

The last four methods work because the filenames are automatically converted from the sender's locale to UNICODE and stored or sent in this form. They are then transparently converted from UNICODE to the recipient's locale encoding.

The Program Breaks Multibyte Characters or Doesn't Count Character Cells Correctly

Severity: High or critical

Many programs were written in an older era where multibyte locales were not common. Such programs assume that C "char" data type, which is one byte, can be used to store single characters. Further, they assume that any sequence of characters is a valid string and that every character occupies a single character cell. Such assumptions completely break in UTF-8 locales. The visible manifestation is that the program truncates strings prematurely (i.e., at 80 bytes instead of 80 characters). Terminal-based programs don't place the cursor correctly on the screen, don't react to the "Backspace" key by erasing one character, and leave junk characters around when updating the screen, usually turning the screen into a complete mess.

Fixing this kind of problems is a tedious task from a programmer's point of view, like all other cases of retrofitting new concepts into the old flawed design. In this case, one has to redesign all data structures in order to accommodate to the fact that a complete character may span a variable number of "char"s (or switch to wchar_t and convert as needed). Also, for every call to the "strlen" and similar functions, find out whether a number of bytes, a number of characters, or the width of the string was really meant. Sometimes it is faster to write a program with the same functionality from scratch.

Among BLFS packages, this problem applies to xine-ui-0.99.12 and all the shells.

The Package Installs Manual Pages in Incorrect or Non-Displayable Encoding

Severity: Low

LFS expects that manual pages are in the language-specific (usually 8-bit) encoding, as specified on the LFS Man DB page. However, some packages install translated manual pages in UTF-8 encoding (e.g., Shadow, already dealt with), or manual pages in languages not in the table. Not all BLFS packages have been audited for conformance with the requirements put in LFS (the large majority have been checked, and fixes placed in the book for packages known to install non-conforming manual pages). If you find a manual page installed by any of BLFS packages that is obviously in the wrong encoding, please remove or convert it as needed, and report this to BLFS team as a bug.

You can easily check your system for any non-conforming manual pages by copying the following short shell script to some accessible location,

#!/bin/sh
# Begin checkman.sh
# Usage: find /usr/share/man -type f | xargs checkman.sh
for a in "$@"
do
    # echo "Checking $a..."
    # Pure-ASCII manual page (possibly except comments) is OK
    grep -v '.\\"' "$a" | iconv -f US-ASCII -t US-ASCII >/dev/null 2>&1 \
        && continue
    # Non-UTF-8 manual page is OK
    iconv -f UTF-8 -t UTF-8 "$a" >/dev/null 2>&1 || continue
    # Found a UTF-8 manual page, bad.
    echo "UTF-8 manual page: $a" >&2
done
# End checkman.sh

and then issuing the following command (modify the command below if the checkman.sh script is not in your PATH environment variable):

find /usr/share/man -type f | xargs checkman.sh

Note that if you have manual pages installed in any location other than /usr/share/man (e.g., /usr/local/share/man), you must modify the above command to include this additional location.

Last updated on 2017-06-29 22:13:10 -0700

Going Beyond BLFS

The packages that are installed in this book are only the tip of the iceberg. We hope that the experience you gained with the LFS book and the BLFS book will give you the background needed to compile, install and configure packages that are not included in this book.

When you want to install a package to a location other than /, or /usr, you are installing outside the default environment settings on most machines. The following examples should assist you in determining how to correct this situation. The examples cover the complete range of settings that may need updating, but they are not all needed in every situation.

  • Expand the PATH to include $PREFIX/bin.

  • Expand the PATH for root to include $PREFIX/sbin.

  • Add $PREFIX/lib to /etc/ld.so.conf or expand LD_LIBRARY_PATH to include it. Before using the latter option, check out http://xahlee.org/UnixResource_dir/_/ldpath.html. If you modify /etc/ld.so.conf, remember to update /etc/ld.so.cache by executing ldconfig as the root user.

  • Add $PREFIX/man to /etc/man_db.conf or expand MANPATH.

  • Add $PREFIX/info to INFOPATH.

  • Add $PREFIX/lib/pkgconfig to PKG_CONFIG_PATH. Some packages are now installing .pc files in $PREFIX/share/pkgconfig, so you may have to include this directory also.

  • Add $PREFIX/include to CPPFLAGS when compiling packages that depend on the package you installed.

  • Add $PREFIX/lib to LDFLAGS when compiling packages that depend on a library installed by the package.

If you are in search of a package that is not in the book, the following are different ways you can search for the desired package.

Some general hints on handling new packages:

  • Many of the newer packages follow the ./configure && make && make install process. Help on the options accepted by configure can be obtained via the command ./configure --help.

  • Most of the packages contain documentation on compiling and installing the package. Some of the documents are excellent, some not so excellent. Check out the homepage of the package for any additional and updated hints for compiling and configuring the package.

  • If you are having a problem compiling the package, try searching the LFS archives at http://www.linuxfromscratch.org/search.html for the error or if that fails, try searching Google. Often, a distribution will have already solved the problem (many of them use development versions of packages, so they see the changes sooner than those of us who normally use stable released versions). But be cautious - all builders tend to carry patches which are no longer necessary, and to have fixes which are only required because of their particular choices in how they build a package. You may have to search deeply to find a fix for the package version you are trying to use, or even to find the package (names are sometimes not what you might expect, e.g. ghostscript often has a prefix or a suffix in its name), but the following notes might help, particularly for those who, like the editors, are trying to build the latest versions and encountering problems:

    • Arch http://www.archlinux.org/packages/ - enter the package name in the 'Keywords' box, select the package name, select the 'Source Files' field, and then select the PKGBUILD entry to see how they build this package.

    • Debian ftp://ftp.uk.debian.org/debian/pool (use your country's version if there is one) - the source will be in .tar.gz tarballs (either the original upstream .orig source, or else a dfsg containing those parts which comply with debian's free software guidelines) accompanied by versioned .diff.gz or .tar.gz additions. These additions often show how the package is built, and may contain patches. In the .diff.gz versions, any patches create files in debian/patches.

    • Fedora package source gets reorganized from time to time. At the moment the package source for rpms is at https://src.fedoraproject.org/projects/rpms/%2A and from there you can try putting a package name in the search box. If the package is found you can look at the files (specfile to control the build, various patches) or the commits. If that fails, you can download an srpm (source rpm) and using rpm2cpio (see the Tip at the bottom of the page). For rpms go to https://dl.fedoraproject.org/pub/fedora/linux/ and then choose which repo you wish to look at - development/rawhide is the latest development, or choose releases for what was shipped in a release, updates for updates to a release, or updates/testing for the latest updates which might work or might have problems.

    • Gentoo - the mirrors for ebuilds and patches seem to be well-hidden, and they change frequently. Also, if you have found a mirror, you need to know which directory the application has been assigned to. The ebuilds themselves can be found at http://packages.gentoo.org/ - use the search field. If there are any patches, a mirror will have them in the files/ directory. Depending on your browser, or the mirror, you might need to download the ebuild to be able to read it. Treat the ebuild as a sort of pseudo-code / shell combination - look in particular for sed commands and patches, or hazard a guess at the meanings of the functions such as dodoc.

    • openSUSE provide a rolling release, some package versions are in http://download.opensuse.org/source/tumbleweed/repo/oss/src/ but others are in ../update/openSUSE-current/src - the source only seems to be available in source rpms.

    • Slackware - the official package browser is currently broken. The site at http://slackbuilds.org/ has current and previous versions in their unofficial repository with links to homepages, downloads, and some individual files, particularly the .SlackBuild files.

    • Ubuntu ftp://ftp.ubuntu.com/ubuntu/pool/ - see the debian notes above.

    If everything else fails, try the blfs-support mailing-list.

Tip

If you have found a package that is only available in .deb or .rpm format, there are two small scripts, rpm2targz and deb2targz that are available at http://downloads.linuxfromscratch.org/deb2targz.tar.bz2 and http://downloads.linuxfromscratch.org/rpm2targz.tar.bz2 to convert the archives into a simple tar.gz format.

You may also find an rpm2cpio script useful. The Perl version in the linux kernel archives at http://lkml.indiana.edu/hypermail/linux/kernel/0210.2/att-0093/01-rpm2cpio works for most source rpms. The rpm2targz script will use an rpm2cpio script or binary if one is on your path. Note that rpm2cpio will unpack a source rpm in the current directory, giving a tarball, a spec file, and perhaps patches or other files.

Last updated on 2020-02-06 15:43:11 -0800

Part II. Post LFS Configuration and Extra Software

Chapter 3. After LFS Configuration Issues

The intention of LFS is to provide a basic system which you can build upon. There are several things about tidying up the system which many people wonder about once they have done the base install. We hope to cover these issues in this chapter.

Most people coming from non-Unix like backgrounds to Linux find the concept of text-only configuration files slightly strange. In Linux, just about all configuration is done via the manipulation of text files. The majority of these files can be found in the /etc hierarchy. There are often graphical configuration programs available for different subsystems but most are simply pretty front ends to the process of editing a text file. The advantage of text-only configuration is that you can edit parameters using your favorite text editor, whether that be vim, emacs, or any other editor.

The first task is making a recovery boot device in Creating a Custom Boot Device because it's the most critical need. Hardware issues relevant to firmware and other devices is addressed next. The system is then configured to ease addition of new users, because this can affect the choices you make in the two subsequent topics—The Bash Shell Startup Files and The vimrc Files.

The remaining topics, Customizing your Logon with /etc/issue, Random number generation, and Autofs-5.1.6 are then addressed, in that order. They don't have much interaction with the other topics in this chapter.

Creating a Custom Boot Device

Decent Rescue Boot Device Needs

This section is really about creating a rescue device. As the name rescue implies, the host system has a problem, often lost partition information or corrupted file systems, that prevents it from booting and/or operating normally. For this reason, you must not depend on resources from the host being "rescued". To presume that any given partition or hard drive will be available is a risky presumption.

In a modern system, there are many devices that can be used as a rescue device: floppy, cdrom, usb drive, or even a network card. Which one you use depends on your hardware and your BIOS. In the past, a rescue device was thought to be a floppy disk. Today, many systems do not even have a floppy drive.

Building a complete rescue device is a challenging task. In many ways, it is equivalent to building an entire LFS system. In addition, it would be a repetition of information already available. For these reasons, the procedures for a rescue device image are not presented here.

Creating a Rescue Floppy

The software of today's systems has grown large. Linux 2.6 no longer supports booting directly from a floppy. In spite of this, there are solutions available using older versions of Linux. One of the best is Tom's Root/Boot Disk available at http://www.toms.net/rb/. This will provide a minimal Linux system on a single floppy disk and provides the ability to customize the contents of your disk if necessary.

Creating a Bootable CD-ROM

There are several sources that can be used for a rescue CD-ROM. Just about any commercial distribution's installation CD-ROMs or DVDs will work. These include RedHat, Ubuntu, and SuSE. One very popular option is Knoppix.

Also, the LFS Community has developed its own LiveCD available at http://www.linuxfromscratch.org/livecd/. This LiveCD, is no longer capable of building an entire LFS/BLFS system, but is still a good rescue CD-ROM. If you download the ISO image, use xorriso to copy the image to a CD-ROM.

The instructions for using GRUB2 to make a custom rescue CD-ROM are also available in LFS Chapter 8.

Creating a Bootable USB Drive

A USB Pen drive, sometimes called a Thumb drive, is recognized by Linux as a SCSI device. Using one of these devices as a rescue device has the advantage that it is usually large enough to hold more than a minimal boot image. You can save critical data to the drive as well as use it to diagnose and recover a damaged system. Booting such a drive requires BIOS support, but building the system consists of formatting the drive, adding GRUB as well as the Linux kernel and supporting files.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/CreatingaCustomBootDevice

Last updated on 2017-04-23 10:21:19 -0700

About Console Fonts

An LFS system can be used without a graphical desktop, and unless or until you install X Window System you will have to work in the console. Most, if not all, PCs boot with an 8x16 font - whatever the actual screen size. There are a few things you can do to alter the display on the console. Most of them involve changing the font, but the first alters the commandline used by grub.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/aboutconsolefonts

Setting a smaller screen size in grub

Modern screens often have a lot more pixels then the screens used in the past. If your screen is 1600 pixels wide, an 8x16 font will give you 200 columns of text - unless your monitor is enormous, the text will be tiny. One of the ways to work around this is to tell grub to use a smaller size, such as 1024x768 or 800x600 or even 640x480. Even if your screen does not have a 4:3 aspect ratio, this should work.

To try this, you can reboot and edit grub's command-line to insert a 'video=' parameter between the 'root=/dev/sdXn' and 'ro', for example root=/dev/sda2 video=1024x768 ro based on the example in LFS section 8.4.4 : ../../../../lfs/view/9.1/chapter08/grub.html .

If you decide that you wish to do this, you can then (as the root user) edit /boot/grub/grub.cfg.

Using the standard psf fonts

In LFS the kbd package is used. The fonts it provides are PC Screen Fonts, usually called PSF, and they were installed into /usr/share/consolefonts. Where these include a unicode mapping table, the file suffix is often changed to .psfu although packages such as terminus-font (see below) do not add the 'u'. These fonts are usually compressed with gzip to save space, but that is not essential.

The initial PC text screens had 8 colours, or 16 colours if the bright versions of the original 8 colours were used. A PSF font can include up to 256 characters (technically, glyphs) while allowing 16 colours, or up to 512 characters (in which case, the bright colours will not be available). Clearly, these console fonts cannot be used to display CJK text - that would need thousands of available glyphs.

Some fonts in kbd can cover more than 512 codepoints ('characters'), with varying degrees of fidelity: unicode contains several whitespace codepoints which can all be mapped to a space, varieties of dashes can be mapped to a minus sign, smart quotes can map to the regular ASCII quotes rather than to whatever is used for "codepoint not present or invalid", and those cyrillic or greek letters which look like latin letters can be mapped onto them, so 'A' can also do duty for cyrillic A and greek Alpha, and 'P' can also do duty for cyrillic ER and greek RHO. Unfortunately, where a font has been created from a BDF file (the method in terminus and debian's console-setup ) such mapping of additional codepoints onto an existing glyph is not always done, although the terminus ter-vXXn fonts do this well.

There are over 120 combinations of font and size in kbd: often a font is provided at several character sizes, and sometimes varieties cover different subsets of unicode. Most are 8 pixels wide, in heights from 8 to 16 pixels, but there are a few which are 9 pixels wide, some others which are 12x22, and even one (latarcyrheb-sun32.psfu) which has been scaled up to 16x32. Using a bigger font is another way of making text on a large screen easier to read.

Testing different fonts

You can test fonts as a normal user. If you have a font which has not been installed, you can load it with :

setfont /path/to/yourfont.ext

For the fonts already installed you only need the name, so using gr737a-9x16.psfu.gz as an example:

setfont gr737a-9x16

To see the glyphs in the font, use:

showconsolefont

If the font looks as if it might be useful, you can then go on to test it more thoroughly.

When you find a font which you wish to use, as the root user) edit /etc/sysconfig/console as described in LFS section 7.6.5 ../../../../lfs/view/9.1/chapter07/usage.html. .

For fonts not supplied with the kbd package you will need to optionally compress it / them with gzip and then install it / them as the root user.

Editing fonts using psf-tools

Although some console fonts are created from BDF files, which is a text format with hex values for the pixels in each row of the character, there are more-modern tools available for editing psf fonts. The psftools package allows you to dump a font to a text representation with a dash for a pixel which is off (black) and a hash for a pixel which is on (white). You can then edit the text file to add more characters, or reshape them, or map extra codepoints onto them, and then create a new psf font with your changes.

Using fonts from Terminus-font

The Terminus Font package provides fixed-width bitmap fonts designed for long (8 hours and more per day) work with computers. Under 'Character variants' on that page is a list of patches (in the alt/ directory). If you are using a graphical browser to look at that page, you can see what the patches do, e.g. 'll2' makes 'l' more visibly different from 'i' and '1'.

By default terminus-fonts will try to create several types of font, and it will fail if bdftopcf from Xorg Applications has not been installed. The configure script is only really useful if you go on to install all the fonts (console and X11 bitmap) to the correct directories, as in a distro. To build only the PSF fonts and their dependencies, run:

make psf

This will create more than 240 ter-*.psf fonts. The 'b' suffix indicates bright, 'n' indicates normal. You can then test them to see if any fit your requirements. Unless you are creating a distro, there seems little point in installing them all.

As an example, to install the last of these fonts, you can gzip it and then as the root user:

install -v -m644 ter-v32n.psf.gz /usr/share/consolefonts

Last updated on 2018-09-30 20:09:39 -0700

About Firmware

On some recent PCs it can be necessary, or desirable, to load firmware to make them work at their best. There is a directory, /lib/firmware, where the kernel or kernel drivers look for firmware images.

Preparing firmware for multiple different machines, as a distro would do, is outside the scope of this book.

Currently, most firmware can be found at a git repository: http://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/tree/. For convenience, the LFS Project has created a mirror, updated daily, where these firmware files can be accessed via wget or a web browser at http://anduin.linuxfromscratch.org/BLFS/linux-firmware/.

To get the firmware, either point a browser to one of the above repositories and then download the item(s) which you need, or install git and clone that repository.

For some other firmware, particularly for Intel microcode and certain wifi devices, the needed firmware is not available in the above repository. Some of this will be addressed below, but a search of the Internet for needed firmware is sometimes necessary.

Firmware files are conventionally referred to as blobs because you cannot determine what they will do. Note that firmware is distributed under various different licenses which do not permit disassembly or reverse-engineering.

Firmware for PCs falls into four categories:

  • Updates to the CPU to work around errata, usually referred to as microcode.

  • Firmware for video controllers. On x86 machines this seems to mostly apply to ATI devices (Radeon and AMDGPU chips) and Nvidia Maxwell and Pascal cards which all require firmware to be able to use KMS (kernel modesetting - the preferred option) as well as for Xorg. For earlier radeon chips (before the R600), the firmware is still in the kernel.

  • Firmware updates for wired network ports. Mostly they work even without the updates, but probably they will work better with the updated firmware. For some modern laptops, firmware for both wired ethernet (e.g. rtl_nic) and also for bluetooth devices (e.g. qca) is required before the wired network can be used.

  • Firmware for other devices, such as wifi. These devices are not required for the PC to boot, but need the firmware before these devices can be used.

Note

Although not needed to load a firmware blob, the following tools may be useful for determining, obtaining, or preparing the needed firmware in order to load it into the system: cpio-2.13, git-2.25.0, pciutils-3.6.4, and Wget-1.20.3

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/aboutfirmware

Microcode updates for CPUs

In general, microcode can be loaded by the BIOS or UEFI, and it might be updated by upgrading to a newer version of those. On linux, you can also load the microcode from the kernel if you are using an AMD family 10h or later processor (first introduced late 2007), or an Intel processor from 1998 and later (Pentium4, Core, etc), if updated microcode has been released. These updates only last until the machine is powered off, so they need to be applied on every boot.

Intel provide updates of their microcode for SandyBridge and later processors as new vulnerabilities come to light. New versions of AMD firmware are rare and usually only apply to a few models, although motherboard manufacturers get extra updates which maybe update microcode along with the changes to support newer CPUs and faster memory.

There are two ways of loading the microcode, described as 'early' and 'late'. Early loading happens before userspace has been started, late loading happens after userspace has started. Not surprisingly, early loading is preferred, (see e.g. an explanatory comment in a kernel commit noted at x86/microcode: Early load microcode on LWN.) Indeed, it is needed to work around one particular erratum in early Intel Haswell processors which had TSX enabled. (See Intel Disables TSX Instructions: Erratum Found in Haswell, Haswell-E/EP, Broadwell-Y.) Without this update glibc can do the wrong thing in uncommon situations.

It is still possible to manually force late loading of microcode, either for testing or to prevent having to reboot. You will need to reconfigure your kernel for either method. The instructions here will create a kernel .config to suite early loading, before forcing late loading to see if there is any microcode. If there is, the instructions then show you how to create an initrd for early loading.

To confirm what processor(s) you have (if more than one, they will be identical) look in /proc/cpuinfo.

Intel Microcode for the CPU

The first step is to get the most recent version of the Intel microcode. This must be done by navigating to https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/ and downloading the latest file there. As of this writing the most recent version of the microcode is microcode-20191115. Extract this file in the normal way, the microcode is in the intel-ucode directory, containing various blobs with names in the form XX-YY-ZZ. There are also various other files, and a releasenote.

In the past, intel did not provide any details of which blobs had changed versions, but now the release note details this.

The recent firmware for older processors is provided to deal with vulnerabilities which have now been made public, and for some of these such as Microarchitectural Data Sampling (MDS) you might wish to increase the protection by disabling hyperthreading, or alternatively to disable the kernel's default mitigation because of its impact on compile times. Please read the online documentation at https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html.

To be able to use this latest microcode to provide mitigation on all the affected processors, the kernel version needs to be at least 5.3.11 (or 4.19.84 if you are using the 4.19 long term support series).

Now you need to determine your processor's identity to see if there is any microcode for it. Determine the decimal values of the cpu family, model and stepping by running the following command (it will also report the current microcode version):

head -n7 /proc/cpuinfo

Convert the cpu family, model and stepping to pairs of hexadecimal digits. For a Skylake i3 6100 (described as Intel(R) Core(TM) i3-6100 CPU) the relevant values are cpu family 6, model 94, stepping 3 so in this case the required identification is 06-5e-03. A look at the blobs will show that there is one for this CPU (although for older issues it might have already been applied by the BIOS). If there is a blob for your system then test if it will be applied by copying it (replace <XX-YY-ZZ> by the identifier for your machine) to where the kernel can find it:

mkdir -pv /lib/firmware/intel-ucode
cp -v intel-ucode/<XX-YY-ZZ> /lib/firmware/intel-ucode

Now that the Intel microcode has been prepared, use the following options when you configure the kernel to load Intel microcode:

General Setup --->
  [y] Initial RAM filesystem and RAM disk (initramfs/initrd) support [CONFIG_BLK_DEV_INITRD]
Processor type and features  --->
  [y] CPU microcode loading support  [CONFIG_MICROCODE]
  [y]      Intel microcode loading support [CONFIG_MICROCODE_INTEL]

After you have successfully booted the new system, force late loading by using the command:

echo 1 > /sys/devices/system/cpu/microcode/reload

Then use the following command to see if anything was loaded:

dmesg | grep -e 'microcode' -e 'Linux version' -e 'Command line'

This reformatted example was created by temporarily booting without microcode, to show the current Firmware Bug message, then the late load shows it being updated to revision 0xd6.

[    0.000000] Linux version 5.4.2 (lfs@leshp) (gcc version 9.2.0 (GCC))
               #1 SMP PREEMPT Wed Dec 18 11:52:13 GMT 2019
[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-5.4.2-sda11 root=/dev/sda11 ro
[    0.020218] [Firmware Bug]: TSC_DEADLINE disabled due to Errata; please update microcode
               to version: 0xb2 (or later)
[    0.153861] MDS: Vulnerable: Clear CPU buffers attempted, no microcode
[    0.550009] microcode: sig=0x506e3, pf=0x2, revision=0x74
[    0.550036] microcode: Microcode Update Driver: v2.2.
[  277.673064] microcode: updated to revision 0xd6, date = 2019-10-03
[  277.674231] x86/CPU: CPU features have changed after loading microcode, but might not take effect

If the microcode was not updated, there is no new microcode for this system's processor. If it did get updated, you can now proceed to the section called “Early loading of microcode”.

AMD Microcode for the CPU

Begin by downloading a container of firmware for your CPU family from http://anduin.linuxfromscratch.org/BLFS/linux-firmware/amd-ucode/. The family is always specified in hex. Families 10h to 14h (16 to 20) are in microcode_amd.bin. Families 15h, 16h and 17h have their own containers. Create the required directory and put the firmware you downloaded into it as the root user:

mkdir -pv /lib/firmware/amd-ucode
cp -v microcode_amd* /lib/firmware/amd-ucode

When you configure the kernel, use the following options to load AMD microcode:

General Setup --->
  [y] Initial RAM filesystem and RAM disk (initramfs/initrd) support [CONFIG_BLK_DEV_INITRD]
Processor type and features  --->
  [y] CPU microcode loading support  [CONFIG_MICROCODE]
  [y]      AMD microcode loading support [CONFIG_MICROCODE_AMD]

After you have successfully booted the new system, force late loading by using the command:

echo 1 > /sys/devices/system/cpu/microcode/reload

Then use the following command to see if anything was loaded:

dmesg | grep -e 'microcode' -e 'Linux version' -e 'Command line'

This historic example from an old Athlon(tm) II X2 shows it has been updated. At that time, all CPUs were still reported in the microcode details on AMD machines (the current position for AMD machines where newer microcode is available is unknown) :

[    0.000000] Linux version 4.15.3 (ken@testserver) (gcc version 7.3.0 (GCC))
               #1 SMP Sun Feb 18 02:08:12 GMT 2018
[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-4.15.3-sda5 root=/dev/sda5 ro
[    0.307619] microcode: CPU0: patch_level=0x010000b6
[    0.307671] microcode: CPU1: patch_level=0x010000b6
[    0.307743] microcode: Microcode Update Driver: v2.2.
[  187.928891] microcode: CPU0: new patch_level=0x010000c8
[  187.928899] microcode: CPU1: new patch_level=0x010000c8

If the microcode was not updated, there is no new microcode for this system's processor. If it did get updated, you can now proceed to the section called “Early loading of microcode”.

Early loading of microcode

If you have established that updated microcode is available for your system, it is time to prepare it for early loading. This requires an additional package, cpio-2.13 and the creation of an initrd which will need to be added to grub.cfg.

It does not matter where you prepare the initrd, and once it is working you can apply the same initrd to later LFS systems or newer kernels on this same machine, at least until any newer microcode is released. Use the following commands:

mkdir -p initrd/kernel/x86/microcode
cd initrd

For an AMD machine, use the following command (replace <MYCONTAINER> with the name of the container for your CPU's family):

cp -v /lib/firmware/amd-ucode/<MYCONTAINER> kernel/x86/microcode/AuthenticAMD.bin

Or for an Intel machine copy the appropriate blob using this command:

cp -v /lib/firmware/intel-ucode/<XX-YY-ZZ> kernel/x86/microcode/GenuineIntel.bin

Now prepare the initrd:

find . | cpio -o -H newc > /boot/microcode.img

You now need to add a new entry to /boot/grub/grub.cfg and here you should add a new line after the linux line within the stanza. If /boot is a separate mountpoint:

initrd /microcode.img

or this if it is not:

initrd /boot/microcode.img

If you are already booting with an initrd (see the section called “About initramfs”), you should run mkinitramfs again after putting the appropriate blob or container into /lib/firmware as explained above. Alternatively, you can have both initrd on the same line, such as initrd /microcode.img /other-initrd.img (adapt that as above if /boot is not a separate mountpoint).

You can now reboot with the added initrd, and then use the same command to check that the early load worked.

dmesg | grep -e 'microcode' -e 'Linux version' -e 'Command line'

If you updated to address vulnerabilities, you can look at /sys/devices/system/cpu/vulnerabilities/ to see what is now reported.

The places and times where early loading happens are very different in AMD and Intel machines. First, an Intel example with early loading:

[    0.000000] microcode: microcode updated early to revision 0xd6, date = 2019-10-03
[    0.000000] Linux version 5.4.6 (ken@leshp) (gcc version 9.2.0 (GCC))i
               #4 SMP PREEMPT Sat Dec 21 21:41:03 GMT 2019
[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-5.4.6-sda11 root=/dev/sda11 ro resume=/dev/sda10
[    0.579936] microcode: sig=0x506e3, pf=0x2, revision=0xd6
[    0.579961] microcode: Microcode Update Driver: v2.2.

A historic AMD example:

[    0.000000] Linux version 4.15.3 (ken@testserver) (gcc version 7.3.0 (GCC))
               #2 SMP Sun Feb 18 02:32:03 GMT 2018
[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-4.15.3-sda5 root=/dev/sda5 ro
[    0.307619] microcode: microcode updated early to new patch_level=0x010000c8
[    0.307678] microcode: CPU0: patch_level=0x010000c8
[    0.307723] microcode: CPU1: patch_level=0x010000c8
[    0.307795] microcode: Microcode Update Driver: v2.2.

Firmware for Video Cards

Firmware for ATI video chips (R600 and later)

These instructions do NOT apply to old radeons before the R600 family. For those, the firmware is in the kernel's /lib/firmware/ directory. Nor do they apply if you intend to avoid a graphical setup such as Xorg and are content to use the default 80x25 display rather than a framebuffer.

Early radeon devices only needed a single 2K blob of firmware. Recent devices need several different blobs, and some of them are much bigger. The total size of the radeon firmware directory is over 500K — on a large modern system you can probably spare the space, but it is still redundant to install all the unused files each time you build a system.

A better approach is to install pciutils-3.6.4 and then use lspci to identify which VGA controller is installed.

With that information, check the RadeonFeature page of the Xorg wiki for Decoder ring for engineering vs marketing names to identify the family (you may need to know this for the Xorg driver in BLFS — Southern Islands and Sea Islands use the radeonsi driver) and the specific model.

Now that you know which controller you are using, consult the Radeon page of the Gentoo wiki which has a table listing the required firmware blobs for the various chipsets. Note that Southern Islands and Sea Islands chips use different firmware for kernel 3.17 and later compared to earlier kernels. Identify and download the required blobs then install them:

mkdir -pv /lib/firmware/radeon
cp -v <YOUR_BLOBS> /lib/firmware/radeon

There are actually two ways of installing this firmware. BLFS, in the 'Kernel Configuration for additional firmware' section part of the Xorg ATI Driver-19.1.0 section gives an example of compiling the firmware into the kernel - that is slightly faster to load, but uses more kernel memory. Here we will use the alternative method of making the radeon driver a module. In your kernel config set the following:

Device Drivers --->
  Graphics support --->
      Direct Rendering Manager --->
        <*> Direct Rendering Manager (XFree86 ... support)  [CONFIG_DRM]
      <m> ATI Radeon                                        [CONFIG_DRM_RADEON]

Loading several large blobs from /lib/firmware takes a noticeable time, during which the screen will be blank. If you do not enable the penguin framebuffer logo, or change the console size by using a bigger font, that probably does not matter. If desired, you can slightly reduce the time if you follow the alternate method of specifying 'y' for CONFIG_DRM_RADEON covered in BLFS at the link above — you must specify each needed radeon blob if you do that.

Firmware for Nvidia video chips

Some Nvidia graphics chips need firmware updates to take advantage of all the card's capability. These are generally the GeForce 8, 9, 9300, and 200-900 series chips. For more exact information, see https://nouveau.freedesktop.org/wiki/VideoAcceleration/#firmware.

First, the kernel Nvidia driver must be activated:

Device Drivers --->
  Graphics support --->
      Direct Rendering Manager --->
        <*> Direct Rendering Manager (XFree86 ... support)  [CONFIG_DRM]
      <*/m> Nouveau (NVIDIA) cards                          [CONFIG_DRM_NOUVEAU]

The steps to install the Nvidia firmware are:

wget https://raw.github.com/imirkin/re-vp2/master/extract_firmware.py
wget http://us.download.nvidia.com/XFree86/Linux-x86/325.15/NVIDIA-Linux-x86-325.15.run
sh NVIDIA-Linux-x86-325.15.run --extract-only
python extract_firmware.py 
mkdir -p /lib/firmware/nouveau
cp -d nv* vuc-* /lib/firmware/nouveau/

Firmware for Network Interfaces

The kernel likes to load firmware for some network drivers, particularly those from Realtek (the /lib/linux-firmware/rtl_nic/) directory, but they generally appear to work without it. Therefore, you can boot the kernel, check dmesg for messages about this missing firmware, and if necessary download the firmware and put it in the specified directory in /lib/firmware so that it will be found on subsequent boots. Note that with current kernels this works whether or not the driver is compiled in or built as a module, there is no need to build this firmware into the kernel. Here is an example where the R8169 driver has been compiled in but the firmware was not made available. Once the firmware had been provided, there was no mention of it on later boots.

dmesg | grep firmware | grep r8169
[    7.018028] r8169 0000:01:00.0: Direct firmware load for rtl_nic/rtl8168g-2.fw failed with error -2
[    7.018036] r8169 0000:01:00.0 eth0: unable to load firmware patch rtl_nic/rtl8168g-2.fw (-2)

Firmware for Other Devices

Identifying the correct firmware will typically require you to install pciutils-3.6.4, and then use lspci to identify the device. You should then search online to check which module it uses, which firmware, and where to obtain the firmware — not all of it is in linux-firmware.

If possible, you should begin by using a wired connection when you first boot your LFS system. To use a wireless connection you will need to use a network tools such as Wireless Tools-29 and wpa_supplicant-2.9.

Firmware may also be needed for other devices such as some SCSI controllers, bluetooth adaptors, or TV recorders. The same principles apply.

Last updated on 2020-01-09 08:18:14 -0800

About Devices

Although most devices needed by packages in BLFS and beyond are set up properly by udev using the default rules installed by LFS in /etc/udev/rules.d, there are cases where the rules must be modified or augmented.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/aboutdevices

Multiple Sound Cards

If there are multiple sound cards in a system, the "default" sound card becomes random. The method to establish sound card order depends on whether the drivers are modules or not. If the sound card drivers are compiled into the kernel, control is via kernel command line parameters in /boot/grub/grub.cfg. For example, if a system has both an FM801 card and a SoundBlaster PCI card, the following can be appended to the command line:

snd-fm801.index=0 snd-ens1371.index=1

If the sound card drivers are built as modules, the order can be established in the /etc/modprobe.conf file with:

options snd-fm801 index=0
options snd-ens1371 index=1

USB Device Issues

USB devices usually have two kinds of device nodes associated with them.

The first kind is created by device-specific drivers (e.g., usb_storage/sd_mod or usblp) in the kernel. For example, a USB mass storage device would be /dev/sdb, and a USB printer would be /dev/usb/lp0. These device nodes exist only when the device-specific driver is loaded.

The second kind of device nodes (/dev/bus/usb/BBB/DDD, where BBB is the bus number and DDD is the device number) are created even if the device doesn't have a kernel driver. By using these "raw" USB device nodes, an application can exchange arbitrary USB packets with the device, i.e., bypass the possibly-existing kernel driver.

Access to raw USB device nodes is needed when a userspace program is acting as a device driver. However, for the program to open the device successfully, the permissions have to be set correctly. By default, due to security concerns, all raw USB devices are owned by user root and group usb, and have 0664 permissions (the read access is needed, e.g., for lsusb to work and for programs to access USB hubs). Packages (such as SANE and libgphoto2) containing userspace USB device drivers also ship udev rules that change the permissions of the controlled raw USB devices. That is, rules installed by SANE change permissions for known scanners, but not printers. If a package maintainer forgot to write a rule for your device, report a bug to both BLFS (if the package is there) and upstream, and you will need to write your own rule.

There is one situation when such fine-grained access control with pre-generated udev rules doesn't work. Namely, PC emulators such as KVM, QEMU and VirtualBox use raw USB device nodes to present arbitrary USB devices to the guest operating system (note: patches are needed in order to get this to work without the obsolete /proc/bus/usb mount point described below). Obviously, maintainers of these packages cannot know which USB devices are going to be connected to the guest operating system. You can either write separate udev rules for all needed USB devices yourself, or use the default catch-all "usb" group, members of which can send arbitrary commands to all USB devices.

Before Linux-2.6.15, raw USB device access was performed not with /dev/bus/usb/BBB/DDD device nodes, but with /proc/bus/usb/BBB/DDD pseudofiles. Some applications (e.g., VMware Workstation) still use only this deprecated technique and can't use the new device nodes. For them to work, use the "usb" group, but remember that members will have unrestricted access to all USB devices. To create the fstab entry for the obsolete usbfs filesystem:

usbfs  /proc/bus/usb  usbfs  devgid=14,devmode=0660  0  0

Note

Adding users to the "usb" group is inherently insecure, as they can bypass access restrictions imposed through the driver-specific USB device nodes. For instance, they can read sensitive data from USB hard drives without being in the "disk" group. Avoid adding users to this group, if you can.

Udev Device Attributes

Fine-tuning of device attributes such as group name and permissions is possible by creating extra udev rules, matching on something like this. The vendor and product can be found by searching the /sys/devices directory entries or using udevadm info after the device has been attached. See the documentation in the current udev directory of /usr/share/doc for details.

SUBSYSTEM=="usb_device", SYSFS{idVendor}=="05d8", SYSFS{idProduct}=="4002", \
  GROUP:="scanner", MODE:="0660"

Note

The above line is used for descriptive purposes only. The scanner udev rules are put into place when installing SANE-1.0.27.

Devices for Servers

In some cases, it makes sense to disable udev completely and create static devices. Servers are one example of this situation. Does a server need the capability of handling dynamic devices? Only the system administrator can answer that question, but in many cases the answer will be no.

If dynamic devices are not desired, then static devices must be created on the system. In the default configuration, the /etc/rc.d/rcS.d/S10udev boot script mounts a tmpfs partition over the /dev directory. This problem can be overcome by mounting the root partition temporarily:

Warning

If the instructions below are not followed carefully, your system could become unbootable.

mount --bind / /mnt
cp -a /dev/* /mnt/dev
rm /etc/rc.d/rcS.d/{S10udev,S50udev_retry}
umount /mnt

At this point, the system will use static devices upon the next reboot. Create any desired additional devices using mknod.

If you want to restore the dynamic devices, recreate the /etc/rc.d/rcS.d/{S10udev,S50udev_retry} symbolic links and reboot again. Static devices do not need to be removed (console and null are always needed) because they are covered by the tmpfs partition. Disk usage for devices is negligible (about 20–30 bytes per entry.)

Devices for DVD Drives

If the initial boot process does not set up the /dev/dvd device properly, it can be installed using the following modification to the default udev rules. As the root user, run:

sed '1d;/SYMLINK.*cdrom/ a\
KERNEL=="sr0", ENV{ID_CDROM_DVD}=="1", SYMLINK+="dvd", OPTIONS+="link_priority=-100"' \
/lib/udev/rules.d/60-cdrom_id.rules > /etc/udev/rules.d/60-cdrom_id.rules

Last updated on 2018-01-10 02:44:47 -0800

Configuring for Adding Users

Together, the /usr/sbin/useradd command and /etc/skel directory (both are easy to set up and use) provide a way to assure new users are added to your LFS system with the same beginning settings for things such as the PATH, keyboard processing and other environmental variables. Using these two facilities makes it easier to assure this initial state for each new user added to the system.

The /etc/skel directory holds copies of various initialization and other files that may be copied to the new user's home directory when the /usr/sbin/useradd program adds the new user.

Useradd

The useradd program uses a collection of default values kept in /etc/default/useradd. This file is created in a base LFS installation by the Shadow package. If it has been removed or renamed, the useradd program uses some internal defaults. You can see the default values by running /usr/sbin/useradd -D.

To change these values, simply modify the /etc/default/useradd file as the root user. An alternative to directly modifying the file is to run useradd as the root user while supplying the desired modifications on the command line. Information on how to do this can be found in the useradd man page.

/etc/skel

To get started, create an /etc/skel directory and make sure it is writable only by the system administrator, usually root. Creating the directory as root is the best way to go.

The mode of any files from this part of the book that you put in /etc/skel should be writable only by the owner. Also, since there is no telling what kind of sensitive information a user may eventually place in their copy of these files, you should make them unreadable by "group" and "other".

You can also put other files in /etc/skel and different permissions may be needed for them.

Decide which initialization files should be provided in every (or most) new user's home directory. The decisions you make will affect what you do in the next two sections, The Bash Shell Startup Files and The vimrc Files. Some or all of those files will be useful for root, any already-existing users, and new users.

The files from those sections that you might want to place in /etc/skel include .inputrc, .bash_profile, .bashrc, .bash_logout, .dircolors, and .vimrc. If you are unsure which of these should be placed there, just continue to the following sections, read each section and any references provided, and then make your decision.

You will run a slightly modified set of commands for files which are placed in /etc/skel. Each section will remind you of this. In brief, the book's commands have been written for files not added to /etc/skel and instead just sends the results to the user's home directory. If the file is going to be in /etc/skel, change the book's command(s) to send output there instead and then just copy the file from /etc/skel to the appropriate directories, like /etc, ~ or the home directory of any other user already in the system.

When Adding a User

When adding a new user with useradd, use the -m parameter, which tells useradd to create the user's home directory and copy files from /etc/skel (can be overridden) to the new user's home directory. For example (perform as the root user):

useradd -m <newuser>

Last updated on 2007-10-16 06:49:09 -0700

About System Users and Groups

Throughout BLFS, many packages install programs that run as daemons or in some way should have a user or group name assigned. Generally these names are used to map a user ID (uid) or group ID (gid) for system use. Generally the specific uid or gid numbers used by these applications are not significant. The exception of course, is that root has a uid and gid of 0 (zero) that is indeed special. The uid values are stored in /etc/passwd and the gid values are found in /etc/group.

Customarily, Unix systems classify users and groups into two categories: system users and regular users. The system users and groups are given low numbers and regular users and groups have numeric values greater than all the system values. The cutoff for these numbers is found in two parameters in the /etc/login.defs configuration file. The default UID_MIN value is 1000 and the default GID_MIN value is 1000. If a specific uid or gid value is not specified when creating a user with useradd or a group with groupadd the values assigned will always be above these cutoff values.

Additionally, the Linux Standard Base recommends that system uid and gid values should be below 100.

Below is a table of suggested uid/gid values used in BLFS beyond those defined in a base LFS installation. These can be changed as desired, but provide a suggested set of consistent values.

Table 3.1. UID/GID Suggested Values

Name uid gid
bin 1
lp 9
adm 16
atd 17 17
messagebus 18 18
lpadmin   19
named 20 20
gdm 21 21
fcron 22 22
systemd-journal   23
apache 25 25
smmsp 26 26
polkitd 27 27
rpc 28 28
exim 31 31
postfix 32 32
postdrop 33
sendmail 34
mail 34
vmailman 35 35
news 36 36
kdm 37 37
fetchmail 38
mysql 40 40
postgres 41 41
dovecot 42 42
dovenull 43 43
ftp 45 45
proftpd 46 46
vsftpd 47 47
rsyncd 48 48
sshd 50 50
stunnel 51 51
svn 56 56
svntest 57
games 60 60
kvm 61
wireshark 62
lightdm 63 63
sddm 64 64
lightdm 65 65
scanner 70
colord 71 71
systemd-bus-proxy 72 72
systemd-journal-gateway 73 73
systemd-journal-remote 74 74
systemd-journal-upload 75 75
systemd-network 76 76
systemd-resolve 77 77
systemd-timesync 78 78
systemd-coredump 79 79
ldap 83 83
avahi 84 84
avahi-autoipd 85 85
netdev 86
ntp 87 87
unbound 88 88
plugdev 90
wheel 97
anonymous 98
nobody 99
nogroup 99

One value that is missing is 65534. This value is customarily assigned to the user nobody and group nogroup and is unnecessary.

Last updated on 2019-10-24 15:49:23 -0700

The Bash Shell Startup Files

The shell program /bin/bash (hereafter referred to as just "the shell") uses a collection of startup files to help create an environment. Each file has a specific use and may affect login and interactive environments differently. The files in the /etc directory generally provide global settings. If an equivalent file exists in your home directory it may override the global settings.

An interactive login shell is started after a successful login, using /bin/login, by reading the /etc/passwd file. This shell invocation normally reads /etc/profile and its private equivalent ~/.bash_profile (or ~/.profile if called as /bin/sh) upon startup.

An interactive non-login shell is normally started at the command-line using a shell program (e.g., [prompt]$/bin/bash) or by the /bin/su command. An interactive non-login shell is also started with a terminal program such as xterm or konsole from within a graphical environment. This type of shell invocation normally copies the parent environment and then reads the user's ~/.bashrc file for additional startup configuration instructions.

A non-interactive shell is usually present when a shell script is running. It is non-interactive because it is processing a script and not waiting for user input between commands. For these shell invocations, only the environment inherited from the parent shell is used.

The file ~/.bash_logout is not used for an invocation of the shell. It is read and executed when a user exits from an interactive login shell.

Many distributions use /etc/bashrc for system wide initialization of non-login shells. This file is usually called from the user's ~/.bashrc file and is not built directly into bash itself. This convention is followed in this section.

For more information see info bash -- Nodes: Bash Startup Files and Interactive Shells.

Note

Most of the instructions below are used to create files located in the /etc directory structure which requires you to execute the commands as the root user. If you elect to create the files in user's home directories instead, you should run the commands as an unprivileged user.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/bash-shell-startup-files

/etc/profile

Here is a base /etc/profile. This file starts by setting up some helper functions and some basic parameters. It specifies some bash history parameters and, for security purposes, disables keeping a permanent history file for the root user. It also sets a default user prompt. It then calls small, single purpose scripts in the /etc/profile.d directory to provide most of the initialization.

For more information on the escape sequences you can use for your prompt (i.e., the PS1 environment variable) see info bash -- Node: Printing a Prompt.

cat > /etc/profile << "EOF"
# Begin /etc/profile
# Written for Beyond Linux From Scratch
# by James Robertson <[email protected]>
# modifications by Dagmar d'Surreal <[email protected]>

# System wide environment variables and startup programs.

# System wide aliases and functions should go in /etc/bashrc.  Personal
# environment variables and startup programs should go into
# ~/.bash_profile.  Personal aliases and functions should go into
# ~/.bashrc.

# Functions to help us manage paths.  Second argument is the name of the
# path variable to be modified (default: PATH)
pathremove () {
        local IFS=':'
        local NEWPATH
        local DIR
        local PATHVARIABLE=${2:-PATH}
        for DIR in ${!PATHVARIABLE} ; do
                if [ "$DIR" != "$1" ] ; then
                  NEWPATH=${NEWPATH:+$NEWPATH:}$DIR
                fi
        done
        export $PATHVARIABLE="$NEWPATH"
}

pathprepend () {
        pathremove $1 $2
        local PATHVARIABLE=${2:-PATH}
        export $PATHVARIABLE="$1${!PATHVARIABLE:+:${!PATHVARIABLE}}"
}

pathappend () {
        pathremove $1 $2
        local PATHVARIABLE=${2:-PATH}
        export $PATHVARIABLE="${!PATHVARIABLE:+${!PATHVARIABLE}:}$1"
}

export -f pathremove pathprepend pathappend

# Set the initial path
export PATH=/bin:/usr/bin

if [ $EUID -eq 0 ] ; then
        pathappend /sbin:/usr/sbin
        unset HISTFILE
fi

# Setup some environment variables.
export HISTSIZE=1000
export HISTIGNORE="&:[bf]g:exit"

# Set some defaults for graphical systems
export XDG_DATA_DIRS=${XDG_DATA_DIRS:-/usr/share/}
export XDG_CONFIG_DIRS=${XDG_CONFIG_DIRS:-/etc/xdg/}
export XDG_RUNTIME_DIR=${XDG_RUNTIME_DIR:-/tmp/xdg-$USER}

# Setup a red prompt for root and a green one for users.
NORMAL="\[\e[0m\]"
RED="\[\e[1;31m\]"
GREEN="\[\e[1;32m\]"
if [[ $EUID == 0 ]] ; then
  PS1="$RED\u [ $NORMAL\w$RED ]# $NORMAL"
else
  PS1="$GREEN\u [ $NORMAL\w$GREEN ]\$ $NORMAL"
fi

for script in /etc/profile.d/*.sh ; do
        if [ -r $script ] ; then
                . $script
        fi
done

unset script RED GREEN NORMAL

# End /etc/profile
EOF

The /etc/profile.d Directory

Now create the /etc/profile.d directory, where the individual initialization scripts are placed:

install --directory --mode=0755 --owner=root --group=root /etc/profile.d

/etc/profile.d/bash_completion.sh

Note

Using the bash completion script below is controversial. Not all users like it. It adds many (usually over 1000) lines to the bash environment and makes it difficult to use the 'set' command to examine simple environment variables. Omitting this script does not interfere with the ability of bash to use the tab key for file name completion.

This script imports bash completion scripts, installed by many other BLFS packages, to allow TAB command line completion.

cat > /etc/profile.d/bash_completion.sh << "EOF"
# Begin /etc/profile.d/bash_completion.sh
# Import bash completion scripts

# If the bash-completion package is installed, use its configuration instead
if [ -f /usr/share/bash-completion/bash_completion ]; then

  # Check for interactive bash and that we haven't already been sourced.
  if [ -n "${BASH_VERSION-}" -a -n "${PS1-}" -a -z "${BASH_COMPLETION_VERSINFO-}" ]; then

    # Check for recent enough version of bash.
    if [ ${BASH_VERSINFO[0]} -gt 4 ] || \
       [ ${BASH_VERSINFO[0]} -eq 4 -a ${BASH_VERSINFO[1]} -ge 1 ]; then
       [ -r "${XDG_CONFIG_HOME:-$HOME/.config}/bash_completion" ] && \
            . "${XDG_CONFIG_HOME:-$HOME/.config}/bash_completion"
       if shopt -q progcomp && [ -r /usr/share/bash-completion/bash_completion ]; then
          # Source completion code.
          . /usr/share/bash-completion/bash_completion
       fi
    fi
  fi

else

  # bash-completions are not installed, use only bash completion directory
  if shopt -q progcomp; then
    for script in /etc/bash_completion.d/* ; do
      if [ -r $script ] ; then
        . $script
      fi
    done
  fi
fi

# End /etc/profile.d/bash_completion.sh
EOF

Make sure that the directory exists:

install --directory --mode=0755 --owner=root --group=root /etc/bash_completion.d

For a more complete installation, see http://wiki.linuxfromscratch.org/blfs/wiki/bash-shell-startup-files#bash-completions.

/etc/profile.d/dircolors.sh

This script uses the ~/.dircolors and /etc/dircolors files to control the colors of file names in a directory listing. They control colorized output of things like ls --color. The explanation of how to initialize these files is at the end of this section.

cat > /etc/profile.d/dircolors.sh << "EOF"
# Setup for /bin/ls and /bin/grep to support color, the alias is in /etc/bashrc.
if [ -f "/etc/dircolors" ] ; then
        eval $(dircolors -b /etc/dircolors)
fi

if [ -f "$HOME/.dircolors" ] ; then
        eval $(dircolors -b $HOME/.dircolors)
fi

alias ls='ls --color=auto'
alias grep='grep --color=auto'
EOF

/etc/profile.d/extrapaths.sh

This script adds some useful paths to the PATH and can be used to customize other PATH related environment variables (e.g. LD_LIBRARY_PATH, etc) that may be needed for all users.

cat > /etc/profile.d/extrapaths.sh << "EOF"
if [ -d /usr/local/lib/pkgconfig ] ; then
        pathappend /usr/local/lib/pkgconfig PKG_CONFIG_PATH
fi
if [ -d /usr/local/bin ]; then
        pathprepend /usr/local/bin
fi
if [ -d /usr/local/sbin -a $EUID -eq 0 ]; then
        pathprepend /usr/local/sbin
fi

# Set some defaults before other applications add to these paths.
pathappend /usr/share/man  MANPATH
pathappend /usr/share/info INFOPATH
EOF

/etc/profile.d/readline.sh

This script sets up the default inputrc configuration file. If the user does not have individual settings, it uses the global file.

cat > /etc/profile.d/readline.sh << "EOF"
# Setup the INPUTRC environment variable.
if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ] ; then
        INPUTRC=/etc/inputrc
fi
export INPUTRC
EOF

/etc/profile.d/umask.sh

Setting the umask value is important for security. Here the default group write permissions are turned off for system users and when the user name and group name are not the same.

cat > /etc/profile.d/umask.sh << "EOF"
# By default, the umask should be set.
if [ "$(id -gn)" = "$(id -un)" -a $EUID -gt 99 ] ; then
  umask 002
else
  umask 022
fi
EOF

/etc/profile.d/i18n.sh

This script sets an environment variable necessary for native language support. A full discussion on determining this variable can be found on the LFS Bash Shell Startup Files page.

cat > /etc/profile.d/i18n.sh << "EOF"
# Set up i18n variables
export LANG=<ll>_<CC>.<charmap><@modifiers>
EOF

Other Initialization Values

Other initialization can easily be added to the profile by adding additional scripts to the /etc/profile.d directory.

/etc/bashrc

Here is a base /etc/bashrc. Comments in the file should explain everything you need.

cat > /etc/bashrc << "EOF"
# Begin /etc/bashrc
# Written for Beyond Linux From Scratch
# by James Robertson <[email protected]>
# updated by Bruce Dubbs <[email protected]>

# System wide aliases and functions.

# System wide environment variables and startup programs should go into
# /etc/profile.  Personal environment variables and startup programs
# should go into ~/.bash_profile.  Personal aliases and functions should
# go into ~/.bashrc

# Provides colored /bin/ls and /bin/grep commands.  Used in conjunction
# with code in /etc/profile.

alias ls='ls --color=auto'
alias grep='grep --color=auto'

# Provides prompt for non-login shells, specifically shells started
# in the X environment. [Review the LFS archive thread titled
# PS1 Environment Variable for a great case study behind this script
# addendum.]

NORMAL="\[\e[0m\]"
RED="\[\e[1;31m\]"
GREEN="\[\e[1;32m\]"
if [[ $EUID == 0 ]] ; then
  PS1="$RED\u [ $NORMAL\w$RED ]# $NORMAL"
else
  PS1="$GREEN\u [ $NORMAL\w$GREEN ]\$ $NORMAL"
fi

unset RED GREEN NORMAL

# End /etc/bashrc
EOF

~/.bash_profile

Here is a base ~/.bash_profile. If you want each new user to have this file automatically, just change the output of the command to /etc/skel/.bash_profile and check the permissions after the command is run. You can then copy /etc/skel/.bash_profile to the home directories of already existing users, including root, and set the owner and group appropriately.

cat > ~/.bash_profile << "EOF"
# Begin ~/.bash_profile
# Written for Beyond Linux From Scratch
# by James Robertson <[email protected]>
# updated by Bruce Dubbs <[email protected]>

# Personal environment variables and startup programs.

# Personal aliases and functions should go in ~/.bashrc.  System wide
# environment variables and startup programs are in /etc/profile.
# System wide aliases and functions are in /etc/bashrc.

if [ -f "$HOME/.bashrc" ] ; then
  source $HOME/.bashrc
fi

if [ -d "$HOME/bin" ] ; then
  pathprepend $HOME/bin
fi

# Having . in the PATH is dangerous
#if [ $EUID -gt 99 ]; then
#  pathappend .
#fi

# End ~/.bash_profile
EOF

~/.profile

Here is a base ~/.profile. The comments and instructions for using /etc/skel for .bash_profile above also apply here. Only the target file names are different.

cat > ~/.profile << "EOF"
# Begin ~/.profile
# Personal environment variables and startup programs.

if [ -d "$HOME/bin" ] ; then
  pathprepend $HOME/bin
fi

# Set up user specific i18n variables
#export LANG=<ll>_<CC>.<charmap><@modifiers>

# End ~/.profile
EOF

~/.bashrc

Here is a base ~/.bashrc.

cat > ~/.bashrc << "EOF"
# Begin ~/.bashrc
# Written for Beyond Linux From Scratch
# by James Robertson <[email protected]>

# Personal aliases and functions.

# Personal environment variables and startup programs should go in
# ~/.bash_profile.  System wide environment variables and startup
# programs are in /etc/profile.  System wide aliases and functions are
# in /etc/bashrc.

if [ -f "/etc/bashrc" ] ; then
  source /etc/bashrc
fi

# Set up user specific i18n variables
#export LANG=<ll>_<CC>.<charmap><@modifiers>

# End ~/.bashrc
EOF

~/.bash_logout

This is an empty ~/.bash_logout that can be used as a template. You will notice that the base ~/.bash_logout does not include a clear command. This is because the clear is handled in the /etc/issue file.

cat > ~/.bash_logout << "EOF"
# Begin ~/.bash_logout
# Written for Beyond Linux From Scratch
# by James Robertson <[email protected]>

# Personal items to perform on logout.

# End ~/.bash_logout
EOF

/etc/dircolors

If you want to use the dircolors capability, then run the following command. The /etc/skel setup steps shown above also can be used here to provide a ~/.dircolors file when a new user is set up. As before, just change the output file name on the following command and assure the permissions, owner, and group are correct on the files created and/or copied.

dircolors -p > /etc/dircolors

If you wish to customize the colors used for different file types, you can edit the /etc/dircolors file. The instructions for setting the colors are embedded in the file.

Finally, Ian Macdonald has written an excellent collection of tips and tricks to enhance your shell environment. You can read it online at http://www.caliban.org/bash/index.shtml.

Last updated on 2018-12-02 14:36:16 -0800

The /etc/vimrc and ~/.vimrc Files

The LFS book installs Vim as its text editor. At this point it should be noted that there are a lot of different editing applications out there including Emacs, nano, Joe and many more. Anyone who has been around the Internet (especially usenet) for a short time will certainly have observed at least one flame war, usually involving Vim and Emacs users!

The LFS book creates a basic vimrc file. In this section you'll find an attempt to enhance this file. At startup, vim reads the global configuration file (/etc/vimrc) as well as a user-specific file (~/.vimrc). Either or both can be tailored to suit the needs of your particular system.

Here is a slightly expanded .vimrc that you can put in ~/.vimrc to provide user specific effects. Of course, if you put it into /etc/skel/.vimrc instead, it will be made available to users you add to the system later. You can also copy the file from /etc/skel/.vimrc to the home directory of users already on the system, such as root. Be sure to set permissions, owner, and group if you do copy anything directly from /etc/skel.

" Begin .vimrc

set columns=80
set wrapmargin=8
set ruler

" End .vimrc

Note that the comment tags are " instead of the more usual # or //. This is correct, the syntax for vimrc is slightly unusual.

Below you'll find a quick explanation of what each of the options in this example file means here:

  • set columns=80: This simply sets the number of columns used on the screen.

  • set wrapmargin=8: This is the number of characters from the right window border where wrapping starts.

  • set ruler: This makes vim show the current row and column at the bottom right of the screen.

More information on the many vim options can be found by reading the help inside vim itself. Do this by typing :help in vim to get the general help, or by typing :help usr_toc.txt to view the User Manual Table of Contents.

Last updated on 2007-10-16 06:02:24 -0700

Customizing your Logon with /etc/issue

When you first boot up your new LFS system, the logon screen will be nice and plain (as it should be in a bare-bones system). Many people however, will want their system to display some information in the logon message. This can be accomplished using the file /etc/issue.

The /etc/issue file is a plain text file which will also accept certain escape sequences (see below) in order to insert information about the system. There is also the file issue.net which can be used when logging on remotely. ssh however, will only use it if you set the option in the configuration file and will not interpret the escape sequences shown below.

One of the most common things which people want to do is clear the screen at each logon. The easiest way of doing that is to put a "clear" escape sequence into /etc/issue. A simple way of doing this is to issue the command clear > /etc/issue. This will insert the relevant escape code into the start of the /etc/issue file. Note that if you do this, when you edit the file, you should leave the characters (normally '^[[H^[[2J') on the first line alone.

Note

Terminal escape sequences are special codes recognized by the terminal. The ^[ represents an ASCII ESC character. The sequence ESC [ H puts the cursor in the upper left hand corner of the screen and ESC 2 J erases the screen. For more information on terminal escape sequences see http://rtfm.etla.org/xterm/ctlseq.html

The following sequences are recognized by agetty (the program which usually parses /etc/issue). This information is from man agetty where you can find extra information about the logon process.

The issue file can contain certain character sequences to display various information. All issue sequences consist of a backslash (\) immediately followed by one of the letters explained below (so \d in /etc/issue would insert the current date).

b   Insert the baudrate of the current line.
d   Insert the current date.
s   Insert the system name, the name of the operating system.
l   Insert the name of the current tty line.
m   Insert the architecture identifier of the machine, e.g., i686.
n   Insert the nodename of the machine, also known as the hostname.
o   Insert the domainname of the machine.
r   Insert the release number of the kernel, e.g., 2.6.11.12.
t   Insert the current time.
u   Insert the number of current users logged in.
U   Insert the string "1 user" or "<n> users" where <n> is the
    number of current users logged in.
v   Insert the version of the OS, e.g., the build-date etc.

Last updated on 2007-04-04 12:42:53 -0700

Random Number Generation

The Linux kernel supplies a random number generator which is accessed through /dev/random and /dev/urandom. Programs that utilize the random and urandom devices, such as OpenSSH, will benefit from these instructions.

When a Linux system starts up without much operator interaction, the entropy pool (data used to compute a random number) may be in a fairly predictable state. This creates the real possibility that the number generated at startup may always be the same. In order to counteract this effect, you should carry the entropy pool information across your shut-downs and start-ups.

Install the /etc/rc.d/init.d/random init script included with the blfs-bootscripts-20191204 package.

make install-random

Last updated on 2016-06-03 20:04:06 -0700

Chapter 4. Security

Security takes many forms in a computing environment. After some initial discussion, this chapter gives examples of three different types of security: access, prevention and detection.

Access for users is usually handled by login or an application designed to handle the login function. In this chapter, we show how to enhance login by setting policies with PAM modules. Access via networks can also be secured by policies set by iptables, commonly referred to as a firewall. The Network Security Services (NSS) and Netscape Portable Runtime (NSPR) libraries can be installed and shared among the many applications requiring them. For applications that don't offer the best security, you can use the Stunnel package to wrap an application daemon inside an SSL tunnel.

Prevention of breaches, like a trojan, are assisted by applications like GnuPG, specifically the ability to confirm signed packages, which recognizes modifications of the tarball after the packager creates it.

Finally, we touch on detection with a package that stores "signatures" of critical files (defined by the administrator) and then regenerates those "signatures" and compares for files that have been changed.

Vulnerabilities

About vulnerabilities

All software has bugs. Sometimes, a bug can be exploited, for example to allow users to gain enhanced privileges (perhaps gaining a root shell, or simply accessing or deleting other user's files), or to allow a remote site to crash an application (denial of service), or for theft of data. These bugs are labelled as vulnerabilities.

The main place where vulnerabilities get logged is cve.mitre.org. Unfortunately, many vulnerability numbers (CVE-yyyy-nnnn) are initially only labelled as "reserved" when distributions start issuing fixes. Also, some vulnerabilities apply to particular combinations of configure options, or only apply to old versions of packages which have long since been updated in BLFS.

BLFS differs from distributions - there is no BLFS security team, and the editors only become aware of vulnerabilities after they are public knowledge. Sometimes, a package with a vulnerability will not be updated in the book for a long time. Issues can be logged in the Trac system, which might speed up resolution.

The normal way for BLFS to fix a vulnerability is, ideally, to update the book to a new fixed release of the package. Sometimes that happens even before the vulnerability is public knowledge, so there is no guarantee that it will be shown as a vulnerability fix in the Changelog. Alternatively, a sed command, or a patch taken from a distribution, may be appropriate.

The bottom line is that you are responsible for your own security, and for assessing the potential impact of any problems.

To keep track of what is being discovered, you may wish to follow the security announcements of one or more distributions. For example, Debian has Debian security. Fedora's links on security are at the Fedora wiki. Details of Gentoo linux security announcements are discussed at Gentoo security. Finally, the Slackware archives of security announcements are at Slackware security.

The most general English source is perhaps the Full Disclosure Mailing List, but please read the comment on that page. If you use other languages you may prefer other sites such as http://www.heise.de/security heise.de (German) or cert.hr (Croatian). These are not linux-specific. There is also a daily update at lwn.net for subscribers (free access to the data after 2 weeks, but their vulnerabilities database at lwn.net/Vulnerabilities is unrestricted).

For some packages, subscribing to their 'announce' lists will provide prompt news of newer versions.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/vulnerabilities

Last updated on 2015-09-20 15:38:20 -0700

make-ca-1.5

Introduction to make-ca

Public Key Infrastructure (PKI) is a method to validate the authenticity of an otherwise unknown entity across untrusted networks. PKI works by establishing a chain of trust, rather than trusting each individual host or entity explicitly. In order for a certificate presented by a remote entity to be trusted, that certificate must present a complete chain of certificates that can be validated using the root certificate of a Certificate Authority (CA) that is trusted by the local machine.

Establishing trust with a CA involves validating things like company address, ownership, contact information, etc., and ensuring that the CA has followed best practices, such as undergoing periodic security audits by independent investigators and maintaining an always available certificate revocation list. This is well outside the scope of BLFS (as it is for most Linux distributions). The certificate store provided here is taken from the Mozilla Foundation, who have established very strict inclusion policies described here.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

make-ca Dependencies

Required

p11-kit-0.23.20 (required at runtime to generate certificate stores from trust anchors)

Optional (runtime)

Java-12.0.2 or OpenJDK-12.0.2 (to generate a java PKCS#12 store), and NSS-3.50 (to generate a shared NSSDB)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/make-ca

Installation of make-ca

The make-ca script will download and process the certificates included in the certdata.txt file for use as trust anchors for the p11-kit-0.23.20 trust module. Additionally, it will generate system certificate stores used by BLFS applications (if the recommended and optional applications are present on the system). Any local certificates stored in /etc/ssl/local will be imported to both the trust anchors and the generated certificate stores (overriding Mozilla's trust). Additionally, any modified trust values will be copied from the trust anchors to /etc/ssl/local prior to any updates, preserving custom trust values that differ from Mozilla when using the trust utility from p11-kit to operate on the trust store.

To install the various certificate stores, first install the make-ca script into the correct location. As the root user:

make install &&
install -vdm755 /etc/ssl/local

As the root user, after installing p11-kit-0.23.20, download the certificate source and prepare for system use with the following command:

Note

If running the script a second time with the same version of certdata.txt, for instance, to add additional stores as the requisite software is installed, add the -r switch to the command line. If packaging, run make-ca --help to see all available command line options.

/usr/sbin/make-ca -g

You should periodically update the store with the above command, either manually, or via a cron job. If you've installed Fcron-3.2.1 and completed the section on periodic jobs, execute the following commands, as the root user, to create a weekly cron job:

install -vdm755 /etc/cron.weekly              &&
cat > /etc/cron.weekly/update-pki.sh << "EOF" &&
#!/bin/bash
/usr/sbin/make-ca -g
EOF
chmod 754 /etc/cron.weekly/update-pki.sh

Configuring make-ca

For most users, no additional configuration is necessary, however, the default certdata.txt file provided by make-ca is obtained from the mozilla-release branch, and is modified to provide a Mercurial revision. This will be the correct version for most systems. There are several other variants of the file available for use that might be preferred for one reason or another, including the files shipped with Mozilla products in this book. RedHat and OpenSUSE, for instance, use the version included in NSS-3.50. Additional upstream downloads are available at the links included in /etc/make-ca.conf.dist. Simply copy the file to /etc/make-ca.conf and edit as appropriate.

About Trust Arguments

There are three trust types that are recognized by the make-ca script, SSL/TLS, S/Mime, and code signing. For OpenSSL, these are serverAuth, emailProtection, and codeSigning respectively. If one of the three trust arguments is omitted, the certificate is neither trusted, nor rejected for that role. Clients that use OpenSSL or NSS encountering this certificate will present a warning to the user. Clients using GnuTLS without p11-kit support are not aware of trusted certificates. To include this CA into the ca-bundle.crt, email-ca-bundle.crt, or objsign-ca-bundle.crt files (the GnuTLS legacy bundles), it must have the appropriate trust arguments.

Adding Additional CA Certificates

The /etc/ssl/local directory is available to add additional CA certificates to the system. For instance, you might need to add an organization or government CA certificate. Files in this directory must be in the OpenSSL trusted certificate format. To create an OpenSSL trusted certificate from a regular PEM encoded file, you need to add trust arguments to the openssl command, and create a new certificate. For example, using the CAcert roots, if you want to trust both for all three roles, the following commands will create appropriate OpenSSL trusted certificates (run as the root user after Wget-1.20.3 is installed):

wget http://www.cacert.org/certs/root.crt &&
wget http://www.cacert.org/certs/class3.crt &&
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
        > /etc/ssl/local/CAcert_Class_1_root.pem &&
openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
        > /etc/ssl/local/CAcert_Class_3_root.pem &&
/usr/sbin/make-ca -r -f

Overriding Mozilla Trust

Occasionally, there may be instances where you don't agree with Mozilla's inclusion of a particular certificate authority. If you'd like to override the default trust of a particular CA, simply create a copy of the existing certificate in /etc/ssl/local with different trust arguments. For example, if you'd like to distrust the "Makebelieve_CA_Root" file, run the following commands:

openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
             -text \
             -fingerprint \
             -setalias "Disabled Makebelieve CA Root" \
             -addreject serverAuth \
             -addreject emailProtection \
             -addreject codeSigning \
       > /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &&
/usr/sbin/make-ca -r -f

Contents

Installed Programs: make-ca
Installed Directories: /etc/ssl/{certs,local} and /etc/pki/{nssdb,anchors,tls/{certs,java}}

Short Descriptions

make-ca

is a shell script that adapts a current version of certdata.txt, and prepares it for use as the system trust store.

Last updated on 2020-02-15 08:54:30 -0800

CrackLib-2.9.7

Introduction to CrackLib

The CrackLib package contains a library used to enforce strong passwords by comparing user selected passwords to words in chosen word lists.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Additional Downloads

There are additional word lists available for download, e.g., from http://www.cotse.com/tools/wordlists.htm. CrackLib can utilize as many, or as few word lists you choose to install.

Important

Users tend to base their passwords on regular words of the spoken language, and crackers know that. CrackLib is intended to filter out such bad passwords at the source using a dictionary created from word lists. To accomplish this, the word list(s) for use with CrackLib must be an exhaustive list of words and word-based keystroke combinations likely to be chosen by users of the system as (guessable) passwords.

The default word list recommended above for downloading mostly satisfies this role in English-speaking countries. In other situations, it may be necessary to download (or even create) additional word lists.

Note that word lists suitable for spell-checking are not usable as CrackLib word lists in countries with non-Latin based alphabets, because of word-based keystroke combinations that make bad passwords.

CrackLib Dependencies

Optional

Python-2.7.17

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/cracklib

Installation of CrackLib

Install CrackLib by running the following commands:

sed -i '/skipping/d' util/packer.c &&

./configure --prefix=/usr    \
            --disable-static \
            --with-default-dict=/lib/cracklib/pw_dict &&
make

Now, as the root user:

make install                      &&
mv -v /usr/lib/libcrack.so.* /lib &&
ln -sfv ../../lib/$(readlink /usr/lib/libcrack.so) /usr/lib/libcrack.so

Issue the following commands as the root user to install the recommended word list and create the CrackLib dictionary. Other word lists (text based, one word per line) can also be used by simply installing them into /usr/share/dict and adding them to the create-cracklib-dict command.

install -v -m644 -D    ../cracklib-words-2.9.7.bz2 \
                         /usr/share/dict/cracklib-words.bz2    &&

bunzip2 -v               /usr/share/dict/cracklib-words.bz2    &&
ln -v -sf cracklib-words /usr/share/dict/words                 &&
echo $(hostname) >>      /usr/share/dict/cracklib-extra-words  &&
install -v -m755 -d      /lib/cracklib                         &&

create-cracklib-dict     /usr/share/dict/cracklib-words \
                         /usr/share/dict/cracklib-extra-words

If desired, check the proper operation of the library as an unprivileged user by issuing the following command:

make test

Important

If you are installing CrackLib after your LFS system has been completed and you have the Shadow package installed, you must reinstall Shadow-4.8.1 if you wish to provide strong password support on your system. If you are now going to install the Linux-PAM-1.3.1 package, you may disregard this note as Shadow will be reinstalled after the Linux-PAM installation.

Command Explanations

sed -i '/skipping/d' util/packer.c: Remove a meaningless warning.

--with-default-dict=/lib/cracklib/pw_dict: This parameter forces the installation of the CrackLib dictionary to the /lib hierarchy.

--disable-static: This switch prevents installation of static versions of the libraries.

mv -v /usr/lib/libcrack.so.2* /lib and ln -v -sf ../../lib/libcrack.so.2.9.0 ...: These two commands move the libcrack.so.2.9.0 library and associated symlink from /usr/lib to /lib, then recreates the /usr/lib/libcrack.so symlink pointing to the relocated file.

install -v -m644 -D ...: This command creates the /usr/share/dict directory (if it doesn't already exist) and installs the compressed word list there.

ln -v -s cracklib-words /usr/share/dict/words: The word list is linked to /usr/share/dict/words as historically, words is the primary word list in the /usr/share/dict directory. Omit this command if you already have a /usr/share/dict/words file installed on your system.

echo $(hostname) >>...: The value of hostname is echoed to a file called cracklib-extra-words. This extra file is intended to be a site specific list which includes easy to guess passwords such as company or department names, user names, product names, computer names, domain names, etc.

create-cracklib-dict ...: This command creates the CrackLib dictionary from the word lists. Modify the command to add any additional word lists you have installed.

Contents

Installed Programs: cracklib-check, cracklib-format, cracklib-packer, cracklib-unpacker and create-cracklib-dict
Installed Libraries: libcrack.so and the _cracklibmodule.so Python module
Installed Directories: /lib/cracklib, /usr/share/dict and /usr/share/cracklib

Short Descriptions

cracklib-check

is used to determine if a password is strong.

cracklib-format

is used to format text files (lowercases all words, removes control characters and sorts the lists).

cracklib-packer

creates a database with words read from standard input.

cracklib-unpacker

displays on standard output the database specified.

create-cracklib-dict

is used to create the CrackLib dictionary from the given word list(s).

libcrack.so

provides a fast dictionary lookup method for strong password enforcement.

Last updated on 2020-02-15 08:54:30 -0800

cryptsetup-2.0.6

Introduction to cryptsetup

cryptsetup is used to set up transparent encryption of block devices using the kernel crypto API.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

cryptsetup Dependencies

Required

JSON-C-0.13.1, libgcrypt-1.8.5, LVM2-2.03.08, and popt-1.16

Optional

libpwquality-1.4.2, Python-2.7.17, and passwdqc

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/cryptsetup

Kernel Configuration

Encrypted block devices require kernel support. To use it, the appropriate kernel configuration parameters need to be set:

Device Drivers  --->          
  [*] Multiple devices driver support (RAID and LVM) ---> [CONFIG_MD]
       <*/M> Device mapper support                        [CONFIG_BLK_DEV_DM]
       <*/M> Crypt target support                         [CONFIG_DM_CRYPT]

Cryptographic API  --->                                    
  <*/M> XTS support                                       [CONFIG_CRYPTO_XTS]
  <*/M> SHA224 and SHA256 digest algorithm                [CONFIG_CRYPTO_SHA256]
  <*/M> AES cipher algorithms                             [CONFIG_CRYPTO_AES]
  <*/M> AES cipher algorithms (x86_64)                    [CONFIG_CRYPTO_AES_X86_64] 
  <*/M> User-space interface for symmetric key cipher algorithms
                                                          [CONFIG_CRYPTO_USER_API_SKCIPHER]
  For tests:
  <*/M> Twofish cipher algorithm                          [CONFIG_CRYPTO_TWOFISH]

Installation of cryptsetup

Install cryptsetup by running the following commands:

./configure --prefix=/usr \
            --with-crypto_backend=openssl &&
make

To test the result, issue as the root user: make check. Some tests may fail if the kernel configuration parameters above are not set. One (of 12) tests is known to fail.

Now, as the root user:

make install

Command Explanations

--with-crypto_backend=openssl: This parameter selects the cryptographic libraries to use with the application. gcrypt is the default.

Configuring cryptsetup

Because of the number of possible configurations, setup of encrypted volumes is beyond the scope of the BLFS book. Please see the configuration guide in the cryptsetup FAQ.

Contents

Installed Programs: cryptsetup, cryptsetup-reencrypt, integritysetup, and veritysetup
Installed Libraries: libcryptsetup.so
Installed Directories: None

Short Descriptions

cryptsetup

is used to setup dm-crypt managed device-mapper mappings.

cryptsetup-reencrypt

is a for offline LUKS device re-encryption.

integritysetup

is a tool to manage dm-integrity (block level integrity) volumes.

veritysetup

is used to configure dm-verity managed device-mapper mappings. Device-mapper verity target provides read-only transparent integrity checking of block devices using kernel crypto API.

Last updated on 2020-02-19 08:47:37 -0800

Cyrus SASL-2.1.27

Introduction to Cyrus SASL

The Cyrus SASL package contains a Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. To use SASL, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Cyrus SASL Dependencies

Recommended
Optional

Linux-PAM-1.3.1, MIT Kerberos V5-1.18, MariaDB-10.4.12 or MySQL, OpenJDK-12.0.2, OpenLDAP-2.4.49, PostgreSQL-12.2, SQLite-3.31.1, krb4 and Dmalloc

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/cyrus-sasl

Installation of Cyrus SASL

Note

This package does not support parallel build.

Install Cyrus SASL by running the following commands:

./configure --prefix=/usr        \
            --sysconfdir=/etc    \
            --enable-auth-sasldb \
            --with-dbpath=/var/lib/sasl/sasldb2 \
            --with-saslauthd=/var/run/saslauthd &&
make -j1

This package does not come with a test suite. If you are planning on using the GSSAPI authentication mechanism, test it after installing the package using the sample server and client programs which were built in the preceding step. Instructions for performing the tests can be found at http://www.linuxfromscratch.org/hints/downloads/files/cyrus-sasl.txt.

Now, as the root user:

make install &&
install -v -dm755                          /usr/share/doc/cyrus-sasl-2.1.27/html &&
install -v -m644  saslauthd/LDAP_SASLAUTHD /usr/share/doc/cyrus-sasl-2.1.27      &&
install -v -m644  doc/legacy/*.html        /usr/share/doc/cyrus-sasl-2.1.27/html &&
install -v -dm700 /var/lib/sasl

Command Explanations

--with-dbpath=/var/lib/sasl/sasldb2: This switch forces the sasldb database to be created in /var/lib/sasl instead of /etc.

--with-saslauthd=/var/run/saslauthd: This switch forces saslauthd to use the FHS compliant directory /var/run/saslauthd for variable run-time data.

--enable-auth-sasldb: This switch enables SASLDB authentication backend.

--with-dblib=gdbm: This switch forces GDBM to be used instead of Berkeley DB.

--with-ldap: This switch enables the OpenLDAP support.

--enable-ldapdb: This switch enables the LDAPDB authentication backend. There is a circular dependency with this parameter. See http://wiki.linuxfromscratch.org/blfs/wiki/cyrus-sasl for a solution to this problem.

--enable-java: This switch enables compiling of the Java support libraries.

--enable-login: This option enables unsupported LOGIN authentication.

--enable-ntlm: This option enables unsupported NTLM authentication.

install -v -m644 ...: These commands install documentation which is not installed by the make install command.

install -v -m700 -d /var/lib/sasl: This directory must exist when starting saslauthd or using the sasldb plugin. If you're not going to be running the daemon or using the plugins, you may omit the creation of this directory.

Configuring Cyrus SASL

Config Files

/etc/saslauthd.conf (for saslauthd LDAP configuration) and /etc/sasl2/Appname.conf (where "Appname" is the application defined name of the application)

Configuration Information

See https://www.cyrusimap.org/sasl/sasl/sysadmin.html for information on what to include in the application configuration files.

See file:///usr/share/doc/cyrus-sasl-2.1.27/LDAP_SASLAUTHD for configuring saslauthd with OpenLDAP.

See https://www.cyrusimap.org/sasl/sasl/gssapi.html#gssapi for configuring saslauthd with Kerberos.

Init Script

If you need to run the saslauthd daemon at system startup, install the /etc/rc.d/init.d/saslauthd init script included in the blfs-bootscripts-20191204 package using the following command:

make install-saslauthd

Note

You'll need to modify /etc/sysconfig/saslauthd and modify the AUTHMECH parameter with your desired authentication mechanism.

Contents

Installed Programs: pluginviewer, saslauthd, sasldblistusers2, saslpasswd2 and testsaslauthd
Installed Library: libsasl2.so
Installed Directories: /usr/include/sasl, /usr/lib/sasl2, /usr/share/doc/cyrus-sasl-2.1.27 and /var/lib/sasl

Short Descriptions

pluginviewer

is used to list loadable SASL plugins and their properties.

saslauthd

is the SASL authentication server.

sasldblistusers2

is used to list the users in the SASL password database sasldb2.

saslpasswd2

is used to set and delete a user's SASL password and mechanism specific secrets in the SASL password database sasldb2.

testsaslauthd

is a test utility for the SASL authentication server.

libsasl2.so

is a general purpose authentication library for server and client applications.

Last updated on 2020-02-17 12:03:00 -0800

GnuPG-2.2.19

Introduction to GnuPG

The GnuPG package is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440 and the S/MIME standard as described by several RFCs. GnuPG 2 is the stable version of GnuPG integrating support for OpenPGP and S/MIME.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

GnuPG 2 Dependencies

Required

Libassuan-2.5.3, libgcrypt-1.8.5, Libksba-1.3.5, and npth-1.6

Recommended
Optional

cURL-7.68.0, Fuse-3.9.0, GnuTLS-3.6.12, ImageMagick-7.0.9-23 (for the convert utility, used for generating the documentation), libusb-1.0.23, an MTA, OpenLDAP-2.4.49, SQLite-3.31.1, texlive-20190410 (or install-tl-unx), fig2dev (for generating documentation), and GNU adns

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gnupg2

Installation of GnuPG

By default GnuPG doesn't install the deprecated gpg-zip script, but it is still needed by some programs. Make GnuPG install it with:

sed -e '/noinst_SCRIPTS = gpg-zip/c sbin_SCRIPTS += gpg-zip' \
    -i tools/Makefile.in

Install GnuPG by running the following commands:

./configure --prefix=/usr            \
            --enable-symcryptrun     \
            --localstatedir=/var     \
            --docdir=/usr/share/doc/gnupg-2.2.19 &&
make &&

makeinfo --html --no-split -o doc/gnupg_nochunks.html doc/gnupg.texi &&
makeinfo --plaintext       -o doc/gnupg.txt           doc/gnupg.texi &&
make -C doc html

If you have texlive-20190410 installed and you wish to create documentation in alternate formats, issue the following commands (fig2dev is needed for the ps format):

make -C doc pdf ps

To test the results, issue: make check.

Note that if you have already installed GnuPG, the instructions below will overwrite /usr/share/man/man1/gpg-zip.1. Now, as the root user:

make install &&

install -v -m755 -d /usr/share/doc/gnupg-2.2.19/html            &&
install -v -m644    doc/gnupg_nochunks.html \
                    /usr/share/doc/gnupg-2.2.19/html/gnupg.html &&
install -v -m644    doc/*.texi doc/gnupg.txt \
                    /usr/share/doc/gnupg-2.2.19 &&
install -v -m644    doc/gnupg.html/* \
                    /usr/share/doc/gnupg-2.2.19/html

If you created alternate formats of the documentation, install them using the following command as the root user:

install -v -m644 doc/gnupg.{pdf,dvi,ps} \
                 /usr/share/doc/gnupg-2.2.19

Command Explanations

sed ... tools/Makefile.in: This command is needed to build the gpg-zip program.

--docdir=/usr/share/doc/gnupg-2.2.19: This switch changes the default docdir to /usr/share/doc/gnupg-2.2.19.

--enable-symcryptrun: This switch enables building the symcryptrun program.

--enable-all-tests: allows more tests to be run with make check.

--enable-g13: This switch enables building the g13 program.

Contents

Installed Programs: addgnupghome, applygnupgdefaults, dirmngr, dirmngr-client, g13 (optional), gpg-agent, gpg-connect-agent, gpg, gpgconf, gpgparsemail, gpgscm, gpgsm, gpgtar, gpgv, gpg-wks-server, gpg-zip, kbxutil, symcryptrun, and watchgnupg
Installed Libraries: None
Installed Directories: /usr/share/doc/gnupg-2.2.19 and /usr/share/gnupg

Short Descriptions

addgnupghome

is used to create and populate a user's ~/.gnupg directories

applygnupgdefaults

is a wrapper script used to run gpgconf with the --apply-defaults parameter on all user's GnuPG home directories.

dirmngr

is a tool that takes care of accessing the OpenPGP keyservers.

dirmngr-client

is a tool to contact a running dirmngr and test whether a certificate has been revoked.

g13

is a tool to create, mount or unmount an encrypted file system container (optional).

gpg-agent

is a daemon used to manage secret (private) keys independently from any protocol. It is used as a backend for gpg2 and gpgsm as well as for a couple of other utilities.

gpg-connect-agent

is a utility used to communicate with a running gpg-agent.

gpg

is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool used to provide digital encryption and signing services using the OpenPGP standard.

gpgconf

is a utility used to automatically and reasonably safely query and modify configuration files in the ~/.gnupg home directory. It is designed not to be invoked manually by the user, but automatically by graphical user interfaces.

gpgparsemail

is a utility currently only useful for debugging. Run it with --help for usage information.

gpgscm

executes the given scheme program or spawns an interactive shell.

gpgsm

is a tool similar to gpg2 used to provide digital encryption and signing services on X.509 certificates and the CMS protocol. It is mainly used as a backend for S/MIME mail processing.

gpgtar

is a tool to encrypt or sign files into an archive.

gpgv

is a verify only version of gpg2.

gpg-wks-server

provides a server for the Web Key Service protocol.

gpg-zip

encrypts or signs files into an archive.

kbxutil

is used to list, export and import Keybox data.

symcryptrun

is a simple symmetric encryption tool.

watchgnupg

is used to listen to a Unix Domain socket created by any of the GnuPG tools.

Last updated on 2020-02-16 15:15:05 -0800

GnuTLS-3.6.12

Introduction to GnuTLS

The GnuTLS package contains libraries and userspace tools which provide a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards by the IETF's TLS working group. Quoting from the TLS protocol specification:

The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.

GnuTLS provides support for TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0, and SSL 3.0 protocols, TLS extensions, including server name and max record size. Additionally, the library supports authentication using the SRP protocol, X.509 certificates and OpenPGP keys, along with support for the TLS Pre-Shared-Keys (PSK) extension, the Inner Application (TLS/IA) extension and X.509 and OpenPGP certificate handling.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

GnuTLS Dependencies

Required

Nettle-3.5.1

Recommended
Optional

Doxygen-1.8.17, GTK-Doc-1.32, Guile-3.0.0, libidn-1.35 or libidn2-2.3.0 Net-tools-CVS_20101030 (used during the test suite), texlive-20190410 or install-tl-unx, Unbound-1.9.6 (to build the DANE library), Valgrind-3.15.0 (used during the test suite), autogen, cmocka and datefudge (used during the test suite if the DANE library is built), and Trousers (Trusted Platform Module support)

Note

Note that if you do not install libtasn1-4.16.0, an older version shipped in the GnuTLS tarball will be used instead.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gnutls

Installation of GnuTLS

Install GnuTLS by running the following commands:

./configure --prefix=/usr \
            --docdir=/usr/share/doc/gnutls-3.6.12 \
            --disable-guile \
            --with-default-trust-store-pkcs11="pkcs11:" &&
make

To test the results, issue: make check. If a prior version of GnuTLS (or the same version but without all of the recommended dependencies) has been installed, some tests may fail. If /usr/lib/libgnutls.so and the target of that symlink are moved or renamed so that they cannot be found, all tests should pass and the install procedure will restore libgnutls.so and the versioned library it points to.

Now, as the root user:

make install

If you passed --enable-gtk-doc to the configure script, the API will automatically be installed. Otherwise, if desired, you can still install the API documentation to the /usr/share/gtk-doc/html/gnutls directory using the following command as the root user:

make -C doc/reference install-data-local

Command Explanations

--with-default-trust-store-pkcs11="pkcs11:": This switch tells gnutls to use the PKCS #11 trust store as the default trust. Omit this switch if p11-kit-0.23.20 is not installed.

--disable-guile: This switch disables GUILE support, since GnuTLS does not support Guile-2.2.x yet.

--with-default-trust-store-file=/etc/pki/tls/certs/ca-bundle.crt: This switch tells configure where to find the legacy CA certificate bundle and to use it instead of PKCS #11 module by default. Use this if p11-kit-0.23.20 is not installed.

--enable-gtk-doc: Use this parameter if GTK-Doc is installed and you wish to rebuild and install the API documentation.

--enable-openssl-compatibility: Use this switch if you wish to build the OpenSSL compatibility library.

--without-p11-kit: use this switch if you have not installed p11-kit.

--with-included-unistring: uses the bundled version of libunistring, instead of the system one. Use this switch if you have not installed libunistring-0.9.10.

Contents

Installed Programs: certtool, danetool, gnutls-cli, gnutls-cli-debug, gnutls-serv, ocsptool, p11tool, psktool, and srptool
Installed Libraries: libgnutls.so, libgnutls-dane.so, libgnutlsxx.so, libgnutls-openssl.so (optional), and /usr/lib/guile/2.2/guile-gnutls-v-2.so
Installed Directories: /usr/{include,share/gtk-doc/html,share/guile/site/2.2}/gnutls

Short Descriptions

certtool

is used to generate X.509 certificates, certificate requests, and private keys.

danetool

is a tool used to generate and check DNS resource records for the DANE protocol.

gnutls-cli

is a simple client program to set up a TLS connection to some other computer.

gnutls-cli-debug

is a simple client program to set up a TLS connection to some other computer and produces very verbose progress results.

gnutls-serv

is a simple server program that listens to incoming TLS connections.

ocsptool

is a program that can parse and print information about OCSP requests/responses, generate requests and verify responses.

p11tool

is a program that allows handling data from PKCS #11 smart cards and security modules.

psktool

is a simple program that generates random keys for use with TLS-PSK.

srptool

is a simple program that emulates the programs in the Stanford SRP (Secure Remote Password) libraries using GnuTLS.

libgnutls.so

contains the core API functions and X.509 certificate API functions.

Last updated on 2020-02-16 18:46:23 -0800

GPGME-1.13.1

Introduction to GPGME

The GPGME package is a C library that allows cryptography support to be added to a program. It is designed to make access to public key crypto engines like GnuPG or GpgSM easier for applications. GPGME provides a high-level crypto API for encryption, decryption, signing, signature verification and key management.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

GPGME Dependencies

Required

Libassuan-2.5.3

Optional

Doxygen-1.8.17 and Graphviz-2.42.3 (for API documentation), GnuPG-2.2.19 (required if Qt or SWIG are installed; used during the testsuite), Clisp-2.49, Python-2.7.17, Qt-5.14.1, and/or SWIG-4.0.1 (for language bindings)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gpgme

Installation of GPGME

Install GPGME by running the following commands:

./configure --prefix=/usr --disable-gpg-test &&
make

To test the results, you should have GnuPG-2.2.19 installed and remove the --disable-gpg-test above. Issue: make check.

Now, as the root user:

make install

Command Explanations

--disable-gpg-test: if this parameter is not passed to configure, the test programs are built during make stage, which requires GnuPG-2.2.19. This parameter is not needed if GnuPG-2.2.19 is installed.

Contents

Installed Program: gpgme-config, gpgme-json, and gpgme-tool
Installed Libraries: libgpgme, libgpgmepp.so, and libqgpgme.so
Installed Directory: /usr/include/{gpgme++,qgpgme,QGpgME}, /usr/lib/cmake/{Gpgmepp,QGpgme}. /usr/lib/python{2.7,3.7}/site-packages/gpg, and /usr/share/common-lisp/source/gpgme

Short Descriptions

gpgme-config

is used to obtain GPGME compilation and linking information.

gpgme-json

outputs GPGME commands in JSON format.

gpgme-tool

prints fingerprint and keyid with keyservers.

libgpgme.so

contains the GPGME API functions.

libgpgmepp.so

contains the C++ GPGME API functions.

libqgpgme.so

contains API functions for handling GPG operations in Qt applications.

Last updated on 2020-02-16 18:46:23 -0800

Haveged-1.9.2

Introduction to Haveged

The Haveged package contains a daemon that generates an unpredictable stream of random numbers and feeds the /dev/random device.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/haveged

Installation of Haveged

Install Haveged by running the following commands:

./configure --prefix=/usr &&
make

To test the results, issue: make check.

Now, as the root user:

make install &&
mkdir -pv    /usr/share/doc/haveged-1.9.2 &&
cp -v README /usr/share/doc/haveged-1.9.2

Configuring haveged

Boot Script

If you want the Haveged daemon to start automatically when the system is booted, install the /etc/rc.d/init.d/haveged init script included in the blfs-bootscripts-20191204 package (as the root user):

make install-haveged

Contents

Installed Programs: haveged
Installed Libraries: libhavege.so
Installed Directory: /usr/include/haveged

Short Descriptions

haveged

is a daemon that generates an unpredictable stream of random numbers harvested from the indirect effects of hardware events based on hidden processor states (caches, branch predictors, memory translation tables, etc).

Last updated on 2020-02-15 08:54:30 -0800

iptables-1.8.4

Introduction to iptables

iptables is a userspace command line program used to configure Linux 2.4 and later kernel packet filtering ruleset.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

iptables Dependencies

Optional

libpcap-1.9.1 (required for nfsypproxy support), bpf-utils (required for Berkely Packet Filter support), libnfnetlink (required for connlabel support), and libnetfilter_conntrack" (required for connlabel support)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/iptables

Kernel Configuration

A firewall in Linux is accomplished through the netfilter interface. To use iptables to configure netfilter, the following kernel configuration parameters are required:

[*] Networking support  --->                                          [CONFIG_NET]
      Networking Options  --->
        [*] Network packet filtering framework (Netfilter) --->       [CONFIG_NETFILTER]
          [*] Advanced netfilter configuration                        [CONFIG_NETFILTER_ADVANCED]
          Core Netfilter Configuration --->
            <*/M> Netfilter connection tracking support               [CONFIG_NF_CONNTRACK]
            <*/M> Netfilter Xtables support (required for ip_tables)  [CONFIG_NETFILTER_XTABLES]
            <*/M> LOG target support                                  [CONFIG_NETFILTER_XT_TARGET_LOG]
          IP: Netfilter Configuration --->
            <*/M> IP tables support (required for filtering/masq/NAT) [CONFIG_IP_NF_IPTABLES]

Include any connection tracking protocols that will be used, as well as any protocols that you wish to use for match support under the "Core Netfilter Configuration" section.

Installation of iptables

Note

The installation below does not include building some specialized extension libraries which require the raw headers in the Linux source code. If you wish to build the additional extensions (if you aren't sure, then you probably don't), you can look at the INSTALL file to see an example of how to change the KERNEL_DIR= parameter to point at the Linux source code. Note that if you upgrade the kernel version, you may also need to recompile iptables and that the BLFS team has not tested using the raw kernel headers.

Install iptables by running the following commands:

./configure --prefix=/usr      \
            --sbindir=/sbin    \
            --disable-nftables \
            --enable-libipq    \
            --with-xtlibdir=/lib/xtables &&
make

This package does not come with a test suite.

Now, as the root user:

make install &&
ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml &&

for file in ip4tc ip6tc ipq xtables
do
  mv -v /usr/lib/lib${file}.so.* /lib &&
  ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
done

Command Explanations

--disable-nftables: This switch disables building nftables compat.

--enable-libipq: This switch enables building of libipq.so which can be used by some packages outside of BLFS.

--with-xtlibdir=/lib/xtables: Ensure all iptables modules are installed in the /lib/xtables directory.

--enable-nfsynproxy: This switch enables installation of nfsynproxy SYNPROXY configuration tool.

ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml: Ensure the symbolic link for iptables-xml is relative.

Contents

Installed Programs: ip6tables, ip6tables-restore, ip6tables-save, iptables, iptables-restore, iptables-save, iptables-xml, nfsynproxy (optional) and xtables-multi
Installed Libraries: libip4tc.so, libip6tc.so, libipq.so, libiptc.so, and libxtables.so
Installed Directories: /lib/xtables and /usr/include/libiptc

Short Descriptions

iptables

is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.

iptables-restore

is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file.

iptables-save

is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file.

iptables-xml

is used to convert the output of iptables-save to an XML format. Using the iptables.xslt stylesheet converts the XML back to the format of iptables-restore.

ip6tables*

are a set of commands for IPV6 that parallel the iptables commands above.

nfsynproxy

(optional) configuration tool. SYNPROXY target makes handling of large SYN floods possible without the large performance penalties imposed by the connection tracking in such cases.

xtables-multi

is a binary that behaves according to the name it is called by.

Last updated on 2020-02-26 08:20:10 -0800

Setting Up a Network Firewall

Before you read this part of the chapter, you should have already installed iptables as described in the previous section.

Introduction to Firewall Creation

The general purpose of a firewall is to protect a computer or a network against malicious access.

In a perfect world, every daemon or service on every machine is perfectly configured and immune to flaws such as buffer overflows or other problems regarding its security. Furthermore, you trust every user accessing your services. In this world, you do not need to have a firewall.

In the real world however, daemons may be misconfigured and exploits against essential services are freely available. You may wish to choose which services are accessible by certain machines or you may wish to limit which machines or applications are allowed external access. Alternatively, you may simply not trust some of your applications or users. You are probably connected to the Internet. In this world, a firewall is essential.

Don't assume however, that having a firewall makes careful configuration redundant, or that it makes any negligent misconfiguration harmless. It doesn't prevent anyone from exploiting a service you intentionally offer but haven't recently updated or patched after an exploit went public. Despite having a firewall, you need to keep applications and daemons on your system properly configured and up to date. A firewall is not a cure all, but should be an essential part of your overall security strategy.

Meaning of the Word "Firewall"

The word firewall can have several different meanings.

This is a hardware device or software program commercially sold (or offered via freeware) by companies such as Symantec which claims that it secures a home or desktop computer connected to the Internet. This type of firewall is highly relevant for users who do not know how their computers might be accessed via the Internet or how to disable that access, especially if they are always online and connected via broadband links.

This is a system placed between the Internet and an intranet. To minimize the risk of compromising the firewall itself, it should generally have only one role—that of protecting the intranet. Although not completely risk free, the tasks of doing the routing and IP masquerading (rewriting IP headers of the packets it routes from clients with private IP addresses onto the Internet so that they seem to come from the firewall itself) are commonly considered relatively secure.

This is often an old computer you may have retired and nearly forgotten, performing masquerading or routing functions, but offering non-firewall services such as a web-cache or mail. This may be used for home networks, but is not to be considered as secure as a firewall only machine because the combination of server and router/firewall on one machine raises the complexity of the setup.

Firewall with a Demilitarized Zone [Not Further Described Here]

This box performs masquerading or routing, but grants public access to some branch of your network which, because of public IPs and a physically separated structure, is essentially a separate network with direct Internet access. The servers on this network are those which must be easily accessible from both the Internet and intranet. The firewall protects both networks. This type of firewall has a minimum of three network interfaces.

Packetfilter

This type of firewall does routing or masquerading, but does not maintain a state table of ongoing communication streams. It is fast, but quite limited in its ability to block undesired packets without blocking desired packets.

Now You Can Start to Build your Firewall

Caution

This introduction on how to setup a firewall is not a complete guide to securing systems. Firewalling is a complex issue that requires careful configuration. The scripts quoted here are simply intended to give examples of how a firewall works. They are not intended to fit into any particular configuration and may not provide complete protection from an attack.

Customization of these scripts for your specific situation will be necessary for an optimal configuration, but you should make a serious study of the iptables documentation and creating firewalls in general before hacking away. Have a look at the list of links for further reading at the end of this section for more details. There you will find a list of URLs that contain quite comprehensive information about building your own firewall.

The firewall configuration script installed in the iptables section differs from the standard configuration script. It only has two of the standard targets: start and status. The other targets are clear and lock. For instance if you issue:

/etc/rc.d/init.d/iptables start

the firewall will be restarted just as it is upon system startup. The status target will present a list of all currently implemented rules. The clear target turns off all firewall rules and the lock target will block all packets in and out of the computer with the exception of the loopback interface.

The main startup firewall is located in the file /etc/rc.d/rc.iptables. The sections below provide three different approaches that can be used for a system.

Note

You should always run your firewall rules from a script. This ensures consistency and a record of what was done. It also allows retention of comments that are essential for understanding the rules long after they were written.

Personal Firewall

A Personal Firewall is designed to let you access all the services offered on the Internet, but keep your box secure and your data private.

Below is a slightly modified version of Rusty Russell's recommendation from the Linux 2.4 Packet Filtering HOWTO. It is still applicable to the Linux 2.6 kernels.

cat > /etc/rc.d/rc.iptables << "EOF"
#!/bin/sh

# Begin rc.iptables

# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe nf_conntrack
modprobe xt_LOG

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects

# Do not send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

# Allow local-only connections
iptables -A INPUT  -i lo -j ACCEPT

# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT

# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

# End $rc_base/rc.iptables
EOF
chmod 700 /etc/rc.d/rc.iptables

This script is quite simple, it drops all traffic coming into your computer that wasn't initiated from your computer, but as long as you are simply surfing the Internet you are unlikely to exceed its limits.

If you frequently encounter certain delays at accessing FTP servers, take a look at BusyBox example number 4.

Even if you have daemons or services running on your system, these will be inaccessible everywhere but from your computer itself. If you want to allow access to services on your machine, such as ssh or ping, take a look at BusyBox.

Masquerading Router

A true Firewall has two interfaces, one connected to an intranet, in this example eth0, and one connected to the Internet, here ppp0. To provide the maximum security for the firewall itself, make sure that there are no unnecessary servers running on it such as X11 et al. As a general principle, the firewall itself should not access any untrusted service (think of a remote server giving answers that makes a daemon on your system crash, or even worse, that implements a worm via a buffer-overflow).

cat > /etc/rc.d/rc.iptables << "EOF"
#!/bin/sh

# Begin rc.iptables

echo
echo "You're using the example configuration for a setup of a firewall"
echo "from Beyond Linux From Scratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the configuration rules below."
echo "You can find additional information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo "http://www.linuxfromscratch.org/blfs"
echo

# Insert iptables modules (not needed if built into the kernel).

modprobe nf_conntrack
modprobe nf_conntrack_ftp
modprobe xt_conntrack
modprobe xt_LOG
modprobe xt_state

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects

# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

# Allow local connections
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow forwarding if the initiated on the intranet
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT

# Do masquerading
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE

# Log everything for debugging
# (last of all rules, but before policy rules)
iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "

# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
EOF
chmod 700 /etc/rc.d/rc.iptables

With this script your intranet should be reasonably secure against external attacks. No one should be able to setup a new connection to any internal service and, if it's masqueraded, makes your intranet invisible to the Internet. Furthermore, your firewall should be relatively safe because there are no services running that a cracker could attack.

Note

If the interface you're connecting to the Internet doesn't connect via PPP, you will need to change <ppp+> to the name of the interface (e.g., eth1) which you are using.

BusyBox

This scenario isn't too different from the Masquerading Router, but additionally offers some services to your intranet. Examples of this can be when you want to administer your firewall from another host on your intranet or use it as a proxy or a name server.

Note

Outlining a true concept of how to protect a server that offers services on the Internet goes far beyond the scope of this document. See the references at the end of this section for more information.

Be cautious. Every service you have enabled makes your setup more complex and your firewall less secure. You are exposed to the risks of misconfigured services or running a service with an exploitable bug. A firewall should generally not run any extra services. See the introduction to the Masquerading Router for some more details.

If you want to add services such as internal Samba or name servers that do not need to access the Internet themselves, the additional statements are quite simple and should still be acceptable from a security standpoint. Just add the following lines into the script before the logging rules.

iptables -A INPUT  -i ! ppp+  -j ACCEPT
iptables -A OUTPUT -o ! ppp+  -j ACCEPT

If daemons, such as squid, have to access the Internet themselves, you could open OUTPUT generally and restrict INPUT.

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT

However, it is generally not advisable to leave OUTPUT unrestricted. You lose any control over trojans who would like to "call home", and a bit of redundancy in case you've (mis-)configured a service so that it broadcasts its existence to the world.

To accomplish this, you should restrict INPUT and OUTPUT on all ports except those that it's absolutely necessary to have open. Which ports you have to open depends on your needs: mostly you will find them by looking for failed accesses in your log files.

Have a Look at the Following Examples:

  • Squid is caching the web:

    iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
      -j ACCEPT
    
  • Your caching name server (e.g., named) does its lookups via UDP:

    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    
  • You want to be able to ping your computer to ensure it's still alive:

    iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
    iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT
    
  • If you are frequently accessing FTP servers or enjoy chatting, you might notice certain delays because some implementations of these daemons have the feature of querying an identd on your system to obtain usernames. Although there's really little harm in this, having an identd running is not recommended because many security experts feel the service gives out too much additional information.

    To avoid these delays you could reject the requests with a 'tcp-reset':

    iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
    
  • To log and drop invalid packets (packets that came in after netfilter's timeout or some types of network scans) insert these rules at the top of the chain:

    iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
      -j LOG --log-prefix "FIREWALL:INVALID "
    iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP
    
  • Anything coming from the outside should not have a private address, this is a common attack called IP-spoofing:

    iptables -A INPUT -i ppp+ -s 10.0.0.0/8     -j DROP
    iptables -A INPUT -i ppp+ -s 172.16.0.0/12  -j DROP
    iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP
    

    There are other addresses that you may also want to drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link Local Networks), and 192.0.2.0/24 (IANA defined test network).

  • If your firewall is a DHCP client, you need to allow those packets:

    iptables -A INPUT  -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
       -d 255.255.255.255 --dport 68 -j ACCEPT
    
  • To simplify debugging and be fair to anyone who'd like to access a service you have disabled, purposely or by mistake, you could REJECT those packets that are dropped.

    Obviously this must be done directly after logging as the very last lines before the packets are dropped by policy:

    iptables -A INPUT -j REJECT
    

These are only examples to show you some of the capabilities of the firewall code in Linux. Have a look at the man page of iptables. There you will find much more information. The port numbers needed for this can be found in /etc/services, in case you didn't find them by trial and error in your log file.

Conclusion

Finally, there is one fact you must not forget: The effort spent attacking a system corresponds to the value the cracker expects to gain from it. If you are responsible for valuable information, you need to spend the time to protect it properly.

Last updated on 2020-02-26 08:20:10 -0800

libcap-2.31 with PAM

Introduction to libcap with PAM

The libcap package was installed in LFS, but if Linux-PAM support is desired, the PAM module must be built (after installation of Linux-PAM).

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

libcap Dependencies

Required

Linux-PAM-1.3.1

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/libcap

Installation of libcap

Note

If you are upgrading libcap from a previous version, use the instructions in LFS libcap page to upgrade libcap. If the PAM module has been built, it will automatically be picked up.

Install libcap by running the following commands:

make -C pam_cap

This package does not come with a test suite.

Now, as the root user:

install -v -m755 pam_cap/pam_cap.so /lib/security &&
install -v -m644 pam_cap/capability.conf /etc/security

Configuring Libcap

In order to allow Linux-PAM to grant privileges based on POSIX capabilites, you need to add the libcap module to the begining of the /etc/pam.d/system-auth file. Make the required edits with the following commands:

mv -v /etc/pam.d/system-auth{,.bak} &&
cat > /etc/pam.d/system-auth << "EOF" &&
# Begin /etc/pam.d/system-auth

auth      optional    pam_cap.so
EOF
tail -n +3 /etc/pam.d/system-auth.bak >> /etc/pam.d/system-auth

Additonally, you'll need to modify the /etc/security/capability.conf file to grant necessary privileges to users, and utilize the setcap utility to set capabilities on specific utilities as needed. See man 8 setcap and man 3 cap_from_text for additional information.

Contents

Installed Programs: None
Installed Library: pam_cap.so
Installed Directories: None

Last updated on 2020-02-15 08:54:30 -0800

Linux-PAM-1.3.1

Introduction to Linux PAM

The Linux PAM package contains Pluggable Authentication Modules used to enable the local system administrator to choose how applications authenticate users.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Additional Downloads

Optional Documentation

Linux PAM Dependencies

Optional

Berkeley DB-5.3.28, CrackLib-2.9.7, libtirpc-1.2.5 and Prelude

Optional (To Rebuild the Documentation)

docbook-xml-4.5, docbook-xsl-1.79.2, fop-2.4, libxslt-1.1.34 and either Lynx-2.8.9rel.1 or W3m

Note

Shadow-4.8.1 needs to be reinstalled after installing and configuring Linux PAM.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/linux-pam

Installation of Linux PAM

If you downloaded the documentation, unpack the tarball by issuing the following command.

tar -xf ../Linux-PAM-1.3.1-docs.tar.xz --strip-components=1

If you instead want to regenerate the documentation, fix the configure script so that it detects lynx if installed:

sed -e 's/dummy links/dummy lynx/'                                     \
    -e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
    -i configure

Install Linux PAM by running the following commands:

./configure --prefix=/usr                    \
            --sysconfdir=/etc                \
            --libdir=/usr/lib                \
            --enable-securedir=/lib/security \
            --docdir=/usr/share/doc/Linux-PAM-1.3.1 &&
make

To test the results, a suitable /etc/pam.d/other configuration file must exist.

Reinstallation or upgrade of Linux PAM

If you have a system with Linux PAM installed and working, be careful when modifying the files in /etc/pam.d, since your system may become totally unusable. If you want to run the tests, you do not need to create another /etc/pam.d/other file. The installed one can be used for that purpose.

You should also be aware that make install overwrites the configuration files in /etc/security as well as /etc/environment. In case you have modified those files, be sure to back them up.

For a first installation, create the configuration file by issuing the following commands as the root user:

install -v -m755 -d /etc/pam.d &&

cat > /etc/pam.d/other << "EOF"
auth     required       pam_deny.so
account  required       pam_deny.so
password required       pam_deny.so
session  required       pam_deny.so
EOF

Now run the tests by issuing make check. Ensure there are no errors produced by the tests before continuing the installation. Note that the checks are quite long. It may be useful to redirect the output to a log file in order to inspect it thoroughly.

Only in case of a first installation, remove the configuration file created earlier by issuing the following command as the root user:

rm -fv /etc/pam.d/*

Now, as the root user:

make install &&
chmod -v 4755 /sbin/unix_chkpwd &&

for file in pam pam_misc pamc
do
  mv -v /usr/lib/lib${file}.so.* /lib &&
  ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
done

Command Explanations

--enable-securedir=/lib/security: This switch sets install location for the PAM modules.

--disable-regenerate-docu : If the needed dependencies (docbook-xml-4.5, docbook-xsl-1.79.2, libxslt-1.1.34, and Lynx-2.8.9rel.1 or W3m) are installed, the manual pages, and the html and text documentations are (re)generated and installed. Furthermore, if fop-2.4 is installed, the PDF documentation is generated and installed. Use this switch if you do not want to rebuild the documentation.

chmod -v 4755 /sbin/unix_chkpwd: The unix_chkpwd helper program must be setuid so that non-root processes can access the shadow file.

Configuring Linux-PAM

Config Files

/etc/security/* and /etc/pam.d/*

Configuration Information

Configuration information is placed in /etc/pam.d/. Below is an example file:

# Begin /etc/pam.d/other

auth            required        pam_unix.so     nullok
account         required        pam_unix.so
session         required        pam_unix.so
password        required        pam_unix.so     nullok

# End /etc/pam.d/other

Now set up some generic files. As root:

install -vdm755 /etc/pam.d &&
cat > /etc/pam.d/system-account << "EOF" &&
# Begin /etc/pam.d/system-account

account   required    pam_unix.so

# End /etc/pam.d/system-account
EOF

cat > /etc/pam.d/system-auth << "EOF" &&
# Begin /etc/pam.d/system-auth

auth      required    pam_unix.so

# End /etc/pam.d/system-auth
EOF

cat > /etc/pam.d/system-session << "EOF"
# Begin /etc/pam.d/system-session

session   required    pam_unix.so

# End /etc/pam.d/system-session
EOF

The remaining generic file depends on whether CrackLib-2.9.7 is installed. If it is installed, use:

cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# check new passwords for strength (man pam_cracklib)
password  required    pam_cracklib.so    authtok_type=UNIX retry=1 difok=5 \
                                         minlen=9 dcredit=1 ucredit=1 \
                                         lcredit=1 ocredit=1 minclass=0 \
                                         maxrepeat=0 maxsequence=0 \
                                         maxclassrepeat=0 \
                                         dictpath=/lib/cracklib/pw_dict
# use sha512 hash for encryption, use shadow, and use the
# authentication token (chosen password) set by pam_cracklib
# above (or any previous modules)
password  required    pam_unix.so        sha512 shadow use_authtok

# End /etc/pam.d/system-password
EOF

Note

In its default configuration, pam_cracklib will allow multiple case passwords as short as 6 characters, even with the minlen value set to 11. You should review the pam_cracklib(8) man page and determine if these default values are acceptable for the security of your system.

If CrackLib-2.9.7 is NOT installed, use:

cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# use sha512 hash for encryption, use shadow, and try to use any previously
# defined authentication token (chosen password) set by any prior module
password  required    pam_unix.so       sha512 shadow try_first_pass

# End /etc/pam.d/system-password
EOF

Now add a restrictive /etc/pam.d/other configuration file. With this file, programs that are PAM aware will not run unless a configuration file specifically for that application is created.

cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other

auth        required        pam_warn.so
auth        required        pam_deny.so
account     required        pam_warn.so
account     required        pam_deny.so
password    required        pam_warn.so
password    required        pam_deny.so
session     required        pam_warn.so
session     required        pam_deny.so

# End /etc/pam.d/other
EOF

The PAM man page (man pam) provides a good starting point for descriptions of fields and allowable entries. The Linux-PAM System Administrators' Guide is recommended for additional information.

Important

You should now reinstall the Shadow-4.8.1 package.

Contents

Installed Program: mkhomedir_helper, pam_tally, pam_tally2, pam_timestamp_check, unix_chkpwd and unix_update
Installed Libraries: libpam.so, libpamc.so and libpam_misc.so
Installed Directories: /etc/security, /lib/security, /usr/include/security and /usr/share/doc/Linux-PAM-1.3.1

Short Descriptions

mkhomedir_helper

is a helper binary that creates home directories.

pam_tally

is used to interrogate and manipulate the login counter file.

pam_tally2

is used to interrogate and manipulate the login counter file, but does not have some limitations that pam_tally does.

pam_timestamp_check

is used to check if the default timestamp is valid

unix_chkpwd

is a helper binary that verifies the password of the current user.

unix_update

is a helper binary that updates the password of a given user.

libpam.so

provides the interfaces between applications and the PAM modules.

Last updated on 2020-02-15 08:54:30 -0800

liboauth-1.0.3

Introduction to liboauth

liboauth is a collection of POSIX-C functions implementing the OAuth Core RFC 5849 standard. Liboauth provides functions to escape and encode parameters according to OAuth specification and offers high-level functionality to sign requests or verify OAuth signatures as well as perform HTTP requests.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Additional Downloads

liboauth Dependencies

Required

cURL-7.68.0

Optional

NSS-3.50 and Doxygen-1.8.17 (to build documentation)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/liboauth

Installation of liboauth

Apply a patch for the current version of openssl:

patch -Np1 -i ../liboauth-1.0.3-openssl-1.1.0-3.patch

Install liboauth by running the following commands:

./configure --prefix=/usr --disable-static &&
make

If you wish to build the documentation (needs Doxygen-1.8.17), issue:

make dox

To test the results, issue: make check.

Now, as the root user:

make install

If you have previously built the documentation, install it by running the following commands as the root user:

install -v -dm755 /usr/share/doc/liboauth-1.0.3 &&
cp -rv doc/html/* /usr/share/doc/liboauth-1.0.3

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

--enable-nss: Use this switch if you want to use Mozilla NSS instead of OpenSSL.

Contents

Installed Programs: None
Installed Libraries: liboauth.so
Installed Directories: /usr/share/doc/liboauth-1.0.3

Short Descriptions

liboauth.so

provides functions to escape and encode stings according to OAuth specifications and offers high-level functionality built on top to sign requests or verify signatures using either NSS or OpenSSL for calculating the hash/signatures.

Last updated on 2020-02-17 12:12:55 -0800

libpwquality-1.4.2

Introduction to libpwquality

The libpwquality package provides common functions for password quality checking and also scoring them based on their apparent randomness. The library also provides a function for generating random passwords with good pronounceability.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

libpwquality Dependencies

Required

CrackLib-2.9.7

Recommended
Optional

Python-2.7.17

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/libpwquality

Installation of libpwquality

Install libpwquality by running the following commands:

./configure --prefix=/usr                  \
            --disable-static               \
            --with-securedir=/lib/security \
            --with-python-binary=python3 &&
make

This package does not come with a test suite.

Now, as the root user:

make install

Command Explanations

--with-python-binary=python3: This parameter gives the location of the Python binary. The default is python, and requires Python-2.7.17.

Configuring libpwquality

libpwquality is intended to be a functional replacement for the pam_cracklib.so module with additional options. To replace the pam_cracklib.so module with the pam_pwquality.so module, execute the following commands as the root user:

mv /etc/pam.d/system-password{,.orig} &&
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# check new passwords for strength (man pam_pwquality)
password  required    pam_pwquality.so   authtok_type=UNIX retry=1 difok=1 \
                                         minlen=8 dcredit=0 ucredit=0 \
                                         lcredit=0 ocredit=0 minclass=1 \
                                         maxrepeat=0 maxsequence=0 \
                                         maxclassrepeat=0 geoscheck=0 \
                                         dictcheck=1 usercheck=1 \
                                         enforcing=1 badwords="" \
                                         dictpath=/lib/cracklib/pw_dict
# use sha512 hash for encryption, use shadow, and use the
# authentication token (chosen password) set by pam_pwquality
# above (or any previous modules)
password  required    pam_unix.so        sha512 shadow use_authtok

# End /etc/pam.d/system-password
EOF

Contents

Installed Programs: pwscore and pwmake
Installed Libraries: pam_pwquality.so and libpwquality.so
Installed Directories: None

Short Descriptions

pwmake

is a simple configurable tool for generating random and relatively easily pronounceable passwords.

pwscore

is a simple tool for checking quality of a password.

libpwquality.so

contains API functions for checking the password quality.

pam_pwquality.so

is a Linux PAM module used to perform password quality checking.

Last updated on 2015-09-25 08:48:24 -0500

MIT Kerberos V5-1.18

Introduction to MIT Kerberos V5

MIT Kerberos V5 is a free implementation of Kerberos 5. Kerberos is a network authentication protocol. It centralizes the authentication database and uses kerberized applications to work with servers or services that support Kerberos allowing single logins and encrypted communication over internal networks or the Internet.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

MIT Kerberos V5 Dependencies

Optional

DejaGnu-1.6.2 (for full test coverage), GnuPG-2.2.19 (to authenticate the package), keyutils-1.6.1, OpenLDAP-2.4.49, rpcbind-1.2.5 (used during the testsuite), Valgrind-3.15.0 (used during the testsuite), libedit, cmocka, pyrad, and resolv_wrapper

Note

Some sort of time synchronization facility on your system (like ntp-4.2.8p13) is required since Kerberos won't authenticate if there is a time difference between a kerberized client and the KDC server.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/mitkrb

Installation of MIT Kerberos V5

Build MIT Kerberos V5 by running the following commands:

cd src &&
 
sed -i -e 's@\^u}@^u cols 300}@' tests/dejagnu/config/default.exp     &&
sed -i -e '/eq 0/{N;s/12 //}'    plugins/kdb/db2/libdb2/test/run.test &&

./configure --prefix=/usr            \
            --sysconfdir=/etc        \
            --localstatedir=/var/lib \
            --with-system-et         \
            --with-system-ss         \
            --with-system-verto=no   \
            --enable-dns-for-realm &&
make

To test the build, issue as the root user: make -k check. You need at least Tcl-8.6.10, which is used to drive the testsuite. Furthermore, DejaGnu-1.6.2 must be available for some of the tests to run. If you have a former version of MIT Kerberos V5 installed, it may happen that the test suite pick up the installed versions of the libraries, rather than the newly built ones. If so, it is better to run the tests after the installation.

Now, as the root user:

make install &&

for f in gssapi_krb5 gssrpc k5crypto kadm5clnt kadm5srv \
         kdb5 kdb_ldap krad krb5 krb5support verto ; do

    find /usr/lib -type f -name "lib$f*.so*" -exec chmod -v 755 {} \;    
done          &&

mv -v /usr/lib/libkrb5.so.3*        /lib &&
mv -v /usr/lib/libk5crypto.so.3*    /lib &&
mv -v /usr/lib/libkrb5support.so.0* /lib &&

ln -v -sf ../../lib/libkrb5.so.3.3        /usr/lib/libkrb5.so        &&
ln -v -sf ../../lib/libk5crypto.so.3.1    /usr/lib/libk5crypto.so    &&
ln -v -sf ../../lib/libkrb5support.so.0.1 /usr/lib/libkrb5support.so &&

mv -v /usr/bin/ksu /bin &&
chmod -v 755 /bin/ksu   &&

install -v -dm755 /usr/share/doc/krb5-1.18 &&
cp -vfr ../doc/*  /usr/share/doc/krb5-1.18

Command Explanations

The first sed increases the width of the virtual terminal used for some tests to prevent some spurious text in the output which is taken as a failure. The second sed removes a test that is known to fail.

--localstatedir=/var/lib: This option is used so that the Kerberos variable run-time data is located in /var/lib instead of /usr/var.

--with-system-et: This switch causes the build to use the system-installed versions of the error-table support software.

--with-system-ss: This switch causes the build to use the system-installed versions of the subsystem command-line interface software.

--with-system-verto=no: This switch fixes a bug in the package: it does not recognize its own verto library installed previously. This is not a problem, if reinstalling the same version, but if you are updating, the old library is used as system's one, instead of installing the new version.

--enable-dns-for-realm: This switch allows realms to be resolved using the DNS server.

--with-ldap: Use this switch if you want to compile the OpenLDAP database backend module.

mv -v /usr/lib/libk... /lib and ln -v -sf ../../lib/libk... /usr/lib/libk...: Move critical libraries to the /lib directory so that they are available when the /usr filesystem is not mounted.

find /usr/lib -type f -name "lib$f*.so*" -exec chmod -v 755 {} \;: This command changes the permisison of installed libraries.

mv -v /usr/bin/ksu /bin: Moves the ksu program to the /bin directory so that it is available when the /usr filesystem is not mounted.

Configuring MIT Kerberos V5

Config Files

/etc/krb5.conf and /var/lib/krb5kdc/kdc.conf

Configuration Information

Kerberos Configuration

Tip

You should consider installing some sort of password checking dictionary so that you can configure the installation to only accept strong passwords. A suitable dictionary to use is shown in the CrackLib-2.9.7 instructions. Note that only one file can be used, but you can concatenate many files into one. The configuration file shown below assumes you have installed a dictionary to /usr/share/dict/words.

Create the Kerberos configuration file with the following commands issued by the root user:

cat > /etc/krb5.conf << "EOF"
# Begin /etc/krb5.conf

[libdefaults]
    default_realm = <EXAMPLE.ORG>
    encrypt = true

[realms]
    <EXAMPLE.ORG> = {
        kdc = <belgarath.example.org>
        admin_server = <belgarath.example.org>
        dict_file = /usr/share/dict/words
    }

[domain_realm]
    .<example.org> = <EXAMPLE.ORG>

[logging]
    kdc = SYSLOG:INFO:AUTH
    admin_server = SYSLOG:INFO:AUTH
    default = SYSLOG:DEBUG:DAEMON

# End /etc/krb5.conf
EOF

You will need to substitute your domain and proper hostname for the occurrences of the <belgarath> and <example.org> names.

default_realm should be the name of your domain changed to ALL CAPS. This isn't required, but both Heimdal and MIT recommend it.

encrypt = true provides encryption of all traffic between kerberized clients and servers. It's not necessary and can be left off. If you leave it off, you can encrypt all traffic from the client to the server using a switch on the client program instead.

The [realms] parameters tell the client programs where to look for the KDC authentication services.

The [domain_realm] section maps a domain to a realm.

Create the KDC database:

kdb5_util create -r <EXAMPLE.ORG> -s

Now you should populate the database with principals (users). For now, just use your regular login name or root.

kadmin.local
kadmin.local: add_policy dict-only
kadmin.local: addprinc -policy dict-only <loginname>

The KDC server and any machine running kerberized server daemons must have a host key installed:

kadmin.local: addprinc -randkey host/<belgarath.example.org>

After choosing the defaults when prompted, you will have to export the data to a keytab file:

kadmin.local: ktadd host/<belgarath.example.org>

This should have created a file in /etc named krb5.keytab (Kerberos 5). This file should have 600 (root rw only) permissions. Keeping the keytab files from public access is crucial to the overall security of the Kerberos installation.

Exit the kadmin program (use quit or exit) and return back to the shell prompt. Start the KDC daemon manually, just to test out the installation:

/usr/sbin/krb5kdc

Attempt to get a ticket with the following command:

kinit <loginname>

You will be prompted for the password you created. After you get your ticket, you can list it with the following command:

klist

Information about the ticket should be displayed on the screen.

To test the functionality of the keytab file, issue the following command as the root user:

ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l

This should dump a list of the host principal, along with the encryption methods used to access the principal.

At this point, if everything has been successful so far, you can feel fairly confident in the installation and configuration of the package.

Additional Information

For additional information consult the documentation for krb5-1.18 on which the above instructions are based.

Init Script

If you want to start Kerberos services at boot, install the /etc/rc.d/init.d/krb5 init script included in the blfs-bootscripts-20191204 package using the following command:

make install-krb5

Contents

Installed Programs: gss-client, gss-server, k5srvutil, kadmin, kadmin.local, kadmind, kdb5_ldap_util (optional), kdb5_util, kdestroy, kinit, klist, kpasswd, kprop, kpropd, kproplog, krb5-config, krb5-send-pr, krb5kdc, ksu, kswitch, ktutil, kvno, sclient, sim_client, sim_server, sserver, uuclient, and uuserver
Installed Libraries: libgssapi_krb5.so, libgssrpc.so, libk5crypto.so, libkadm5clnt_mit.so, libkadm5clnt.so, libkadm5srv_mit.so, libkadm5srv.so, libkdb_ldap.so (optional), libkdb5.so, libkrad.so, libkrb5.so, libkrb5support.so, libverto.so, and some plugins under the /usr/lib/krb5 tree
Installed Directories: /usr/include/{gssapi,gssrpc,kadm5,krb5}, /usr/lib/krb5, /usr/share/{doc/krb5-1.18,examples/krb5}, /var/lib/krb5kdc, and /run/krb5kdc

Short Descriptions

gss-client

is a GSSAPI test client.

gss-server

is a GSSAPI test server.

k5srvutil

is a host keytable manipulation utility.

kadmin

is an utility used to make modifications to the Kerberos database.

kadmin.local

is an utility similar to kadmin, but if the database is db2, the local client kadmin.local, is intended to run directly on the master KDC without Kerberos authentication.

kadmind

is a server for administrative access to a Kerberos database.

kdb5_ldap_util (optional)

allows an administrator to manage realms, Kerberos services and ticket policies.

kdb5_util

is the KDC database utility.

kdestroy

removes the current set of tickets.

kinit

is used to authenticate to the Kerberos server as a principal and acquire a ticket granting ticket that can later be used to obtain tickets for other services.

klist

reads and displays the current tickets in the credential cache.

kpasswd

is a program for changing Kerberos 5 passwords.

kprop

takes a principal database in a specified format and converts it into a stream of database records.

kpropd

receives a database sent by kprop and writes it as a local database.

kproplog

displays the contents of the KDC database update log to standard output.

krb5-config

gives information on how to link programs against libraries.

krb5kdc

is the Kerberos 5 server.

krb5-send-pr

sends a problem report (PR) to a central support site.

ksu

is the super user program using Kerberos protocol. Requires a properly configured /etc/shells and ~/.k5login containing principals authorized to become super users.

kswitch

makes the specified credential cache the primary cache for the collection, if a cache collection is available.

ktutil

is a program for managing Kerberos keytabs.

kvno

prints keyversion numbers of Kerberos principals.

sclient

is used to contact a sample server and authenticate to it using Kerberos 5 tickets, then display the server's response.

sim_client

is a simple UDP-based sample client program, for demonstration.

sim_server

is a simple UDP-based server application, for demonstration.

sserver

is the sample Kerberos 5 server.

uuclient

is another sample client.

uuserver

is another sample server.

libgssapi_krb5.so

contains the Generic Security Service Application Programming Interface (GSSAPI) functions which provides security services to callers in a generic fashion, supportable with a range of underlying mechanisms and technologies and hence allowing source-level portability of applications to different environments.

libkadm5clnt.so

contains the administrative authentication and password checking functions required by Kerberos 5 client-side programs.

libkadm5srv.so

contains the administrative authentication and password checking functions required by Kerberos 5 servers.

libkdb5.so

is a Kerberos 5 authentication/authorization database access library.

libkrad.so

contains the internal support library for RADIUS functionality.

libkrb5.so

is an all-purpose Kerberos 5 library.

Last updated on 2020-02-18 14:50:03 -0800

Nettle-3.5.1

Introduction to Nettle

The Nettle package contains a low-level cryptographic library that is designed to fit easily in many contexts.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/nettle

Installation of Nettle

Install Nettle by running the following commands:

./configure --prefix=/usr --disable-static &&
make

To test the results, issue: make check.

Now, as the root user:

make install &&
chmod   -v   755 /usr/lib/lib{hogweed,nettle}.so &&
install -v -m755 -d /usr/share/doc/nettle-3.5.1 &&
install -v -m644 nettle.html /usr/share/doc/nettle-3.5.1

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

Contents

Installed Programs: nettle-hash, nettle-lfib-stream, nettle-pbkdf2, pkcs1-conv and sexp-conv
Installed Libraries: libhogweed.so and libnettle.so
Installed Directory: /usr/include/nettle and /usr/share/doc/nettle-3.5.1

Short Descriptions

nettle-hash

calculates a hash value using a specified algorithm.

nettle-lfib-stream

outputs a sequence of pseudorandom (non-cryptographic) bytes, using Knuth's lagged fibonacci generator. The stream is useful for testing, but should not be used to generate cryptographic keys or anything else that needs real randomness.

nettle-pbkdf2

password-based key derivation function that take as input a password or passphrase and typically strengthen it and protect against certain pre-computation attacks by using salting and expensive computation.

pkcs1-conv

converts private and public RSA keys from PKCS #1 format to sexp format.

sexp-conv

converts an s-expression to a different encoding.

Last updated on 2020-02-16 18:46:23 -0800

NSS-3.50

Introduction to NSS

The Network Security Services (NSS) package is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. This is useful for implementing SSL and S/MIME or other Internet security standards into an application.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Additional Downloads

NSS Dependencies

Required

NSPR-4.25

Recommended

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/nss

Installation of NSS

Note

This package does not support parallel build.

Install NSS by running the following commands:

patch -Np1 -i ../nss-3.50-standalone-1.patch &&

cd nss &&

make -j1 BUILD_OPT=1                  \
  NSPR_INCLUDE_DIR=/usr/include/nspr  \
  USE_SYSTEM_ZLIB=1                   \
  ZLIB_LIBS=-lz                       \
  NSS_ENABLE_WERROR=0                 \
  $([ $(uname -m) = x86_64 ] && echo USE_64=1) \
  $([ -f /usr/include/sqlite3.h ] && echo NSS_USE_SYSTEM_SQLITE=1)

The unit tests were run during the build.

Now, as the root user:

cd ../dist                                                          &&

install -v -m755 Linux*/lib/*.so              /usr/lib              &&
install -v -m644 Linux*/lib/{*.chk,libcrmf.a} /usr/lib              &&

install -v -m755 -d                           /usr/include/nss      &&
cp -v -RL {public,private}/nss/*              /usr/include/nss      &&
chmod -v 644                                  /usr/include/nss/*    &&

install -v -m755 Linux*/bin/{certutil,nss-config,pk12util} /usr/bin &&

install -v -m644 Linux*/lib/pkgconfig/nss.pc  /usr/lib/pkgconfig

Command Explanations

BUILD_OPT=1: This option is passed to make so that the build is performed with no debugging symbols built into the binaries and the default compiler optimizations are used.

NSPR_INCLUDE_DIR=/usr/include/nspr: This option sets the location of the nspr headers.

USE_SYSTEM_ZLIB=1: This option is passed to make to ensure that the libssl3.so library is linked to the system installed zlib instead of the in-tree version.

ZLIB_LIBS=-lz: This option provides the linker flags needed to link to the system zlib.

$([ $(uname -m) = x86_64 ] && echo USE_64=1): The USE_64=1 option is required on x86_64, otherwise make will try (and fail) to create 32-bit objects. The [ $(uname -m) = x86_64 ] test ensures it has no effect on a 32 bit system.

([ -f /usr/include/sqlite3.h ] && echo NSS_USE_SYSTEM_SQLITE=1): This tests if sqlite is installed and if so it echos the option NSS_USE_SYSTEM_SQLITE=1 to make so that libsoftokn3.so will link against the system version of sqlite.

Configuring NSS

If p11-kit-0.23.20 is installed, the p11-kit trust module (/usr/lib/pkcs11/p11-kit-trust.so) can be used as a drop-in replacement for /usr/lib/libnssckbi.so to transparently make the system CAs available to NSS aware applications, rather than the static list provided by /usr/lib/libnssckbi.so. As the root user, execute the following commands:

ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so

Additionally, for dependent applications that do not use the internal database (/usr/lib/libnssckbi.so), the /usr/sbin/make-ca script, included on the make-ca-1.5 page can generate a system wide NSS DB with the -n switch, or by modifying the /etc/make-ca.conf file.

Contents

Installed Programs: certutil, nss-config, and pk12util
Installed Libraries: libcrmf.a, libfreebl3.so, libfreeblpriv3.so, libgtest1.so, libgtestutil.so, libnss3.so, libnssckbi.so, libnssdbm3.so, libnsssysinit.so, libnssutil3.so, libsmime3.so, libsoftokn3.so, and libssl3.so
Installed Directories: /usr/include/nss

Short Descriptions

certutil

is the Mozilla Certificate Database Tool. It is a command-line utility that can create and modify the Netscape Communicator cert8.db and key3.db database files. It can also list, generate, modify, or delete certificates within the cert8.db file and create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key3.db file.

nss-config

is used to determine the NSS library settings of the installed NSS libraries.

pk12util

is a tool for importing certificates and keys from pkcs #12 files into NSS or exporting them. It can also list certificates and keys in such files.

Last updated on 2020-02-17 10:10:59 -0800

OpenSSH-8.2p1

Introduction to OpenSSH

The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network. The ssh and scp commands are secure implementations of telnet and rcp respectively.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

OpenSSH Dependencies

Optional

GDB-9.1 (for tests), Linux-PAM-1.3.1, X Window System, MIT Kerberos V5-1.18, libedit, LibreSSL Portable, OpenSC, and libsectok

Optional Runtime (Used only to gather entropy)

OpenJDK-12.0.2, Net-tools-CVS_20101030, and Sysstat-12.3.1

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/OpenSSH

Installation of OpenSSH

OpenSSH runs as two processes when connecting to other computers. The first process is a privileged process and controls the issuance of privileges as necessary. The second process communicates with the network. Additional installation steps are necessary to set up the proper environment, which are performed by issuing the following commands as the root user:

install  -v -m700 -d /var/lib/sshd &&
chown    -v root:sys /var/lib/sshd &&

groupadd -g 50 sshd        &&
useradd  -c 'sshd PrivSep' \
         -d /var/lib/sshd  \
         -g sshd           \
         -s /bin/false     \
         -u 50 sshd

Install OpenSSH by running the following commands:

./configure --prefix=/usr                     \
            --sysconfdir=/etc/ssh             \
            --with-md5-passwords              \
            --with-privsep-path=/var/lib/sshd &&
make

The testsuite requires an installed copy of scp to complete the multiplexing tests. To run the test suite, first copy the scp program to /usr/bin, making sure that you backup any existing copy first.

To test the results, issue: make tests.

Now, as the root user:

make install &&
install -v -m755    contrib/ssh-copy-id /usr/bin     &&

install -v -m644    contrib/ssh-copy-id.1 \
                    /usr/share/man/man1              &&
install -v -m755 -d /usr/share/doc/openssh-8.2p1     &&
install -v -m644    INSTALL LICENCE OVERVIEW README* \
                    /usr/share/doc/openssh-8.2p1

Command Explanations

--sysconfdir=/etc/ssh: This prevents the configuration files from being installed in /usr/etc.

--with-md5-passwords: This enables the use of MD5 passwords.

--with-pam: This parameter enables Linux-PAM support in the build.

--with-xauth=/usr/bin/xauth: Set the default location for the xauth binary for X authentication. Change the location if xauth will be installed to a different path. This can also be controlled from sshd_config with the XAuthLocation keyword. You can omit this switch if Xorg is already installed.

--with-kerberos5=/usr: This option is used to include Kerberos 5 support in the build.

--with-libedit: This option enables line editing and history features for sftp.

Configuring OpenSSH

Config Files

~/.ssh/*, /etc/ssh/ssh_config, and /etc/ssh/sshd_config

There are no required changes to any of these files. However, you may wish to view the /etc/ssh/ files and make any changes appropriate for the security of your system. One recommended change is that you disable root login via ssh. Execute the following command as the root user to disable root login via ssh:

echo "PermitRootLogin no" >> /etc/ssh/sshd_config

If you want to be able to log in without typing in your password, first create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with ssh-keygen and then copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys on the remote computer that you want to log into. You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote computer and you'll also need to enter your password for the ssh-copy-id command to succeed:

ssh-keygen &&
ssh-copy-id -i ~/.ssh/id_rsa.pub REMOTE_USERNAME@REMOTE_HOSTNAME

Once you've got passwordless logins working it's actually more secure than logging in with a password (as the private key is much longer than most people's passwords). If you would like to now disable password logins, as the root user:

echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config

If you added Linux-PAM support and you want ssh to use it then you will need to add a configuration file for sshd and enable use of LinuxPAM. Note, ssh only uses PAM to check passwords, if you've disabled password logins these commands are not needed. If you want to use PAM, issue the following commands as the root user:

sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
chmod 644 /etc/pam.d/sshd &&
echo "UsePAM yes" >> /etc/ssh/sshd_config

Additional configuration information can be found in the man pages for sshd, ssh and ssh-agent.

Boot Script

To start the SSH server at system boot, install the /etc/rc.d/init.d/sshd init script included in the blfs-bootscripts-20191204 package.

make install-sshd

Contents

Installed Programs: scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent, ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
Installed Libraries: None
Installed Directories: /etc/ssh, /usr/share/doc/openssh-8.2p1, and /var/lib/sshd

Short Descriptions

scp

is a file copy program that acts like rcp except it uses an encrypted protocol.

sftp

is an FTP-like program that works over the SSH1 and SSH2 protocols.

slogin

is a symlink to ssh.

ssh

is an rlogin/rsh-like client program except it uses an encrypted protocol.

sshd

is a daemon that listens for ssh login requests.

ssh-add

is a tool which adds keys to the ssh-agent.

ssh-agent

is an authentication agent that can store private keys.

ssh-copy-id

is a script that enables logins on remote machine using local keys.

ssh-keygen

is a key generation tool.

ssh-keyscan

is a utility for gathering public host keys from a number of hosts.

Last updated on 2020-02-15 08:01:33 -0800

p11-kit-0.23.20

Introduction to p11-kit

The p11-kit package provides a way to load and enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

p11-kit Dependencies

Recommended
Optional

GTK-Doc-1.32, libxslt-1.1.34, and NSS-3.50 (runtime)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/p11-kit

Installation of p11-kit

Prepare the distribution specific anchor hook:

sed '20,$ d' -i trust/trust-extract-compat.in &&
cat >> trust/trust-extract-compat.in << "EOF"
# Copy existing anchor modifications to /etc/ssl/local
/usr/libexec/make-ca/copy-trust-modifications

# Generate a new trust store
/usr/sbin/make-ca -f -g
EOF

Install p11-kit by running the following commands:

./configure --prefix=/usr     \
            --sysconfdir=/etc \
            --with-trust-paths=/etc/pki/anchors &&
make

To test the results, issue: make check. Many tests will fail if the test suite is run as the root user.

Now, as the root user:

make install &&
ln -sfv /usr/libexec/p11-kit/trust-extract-compat \
        /usr/bin/update-ca-certificates

Command Explanations

--with-trust-paths=/etc/pki/anchors: this switch sets the location of trusted certificates used by libp11-kit.so.

--with-hash-impl=freebl: Use this switch if you want to use the Freebl library from NSS for SHA1 and MD5 hashing.

--enable-doc: Use this switch if you have installed GTK-Doc-1.32 and libxslt-1.1.34 and wish to rebuild the documentation and generate manual pages.

Configuring p11-kit

The p11-kit trust module (/usr/lib/pkcs11/p11-kit-trust.so) can be used as a drop-in replacement for /usr/lib/libnssckbi.so to transparently make the system CAs available to NSS aware applications, rather than the static list provided by /usr/lib/libnssckbi.so. As the root user, execute the following commands:

ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so

Contents

Installed Programs: p11-kit, trust, and update-ca-certificates
Installed Libraries: libp11-kit.so and p11-kit-proxy.so
Installed Directories: /etc/pkcs11, /usr/include/p11-kit-1, /usr/lib/pkcs11, /usr/libexec/p11-kit, /usr/share/gtk-doc/html/p11-kit, and /usr/share/p11-kit

Short Descriptions

p11-kit

is a command line tool that can be used to perform operations on PKCS#11 modules configured on the system.

trust

is a command line tool to examine and modify the shared trust policy store.

update-ca-certificates

is a command line tool to both extract local certificates from an updated anchor store, and regenerate all anchors and certificate stores on the system. This is done unconditionally on BLFS using the --force and --get flags to make-ca and should likely not be used for automated updates.

libp11-kit.so

contains functions used to coordinate initialization and finalization of any PKCS#11 module.

p11-kit-proxy.so

is the PKCS#11 proxy module.

Last updated on 2020-02-15 08:54:30 -0800

Polkit-0.116

Introduction to Polkit

Polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to communicate with privileged processes.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Additional Downloads

Polkit Dependencies

Required

GLib-2.62.4 and js60-60.8.0

Recommended

Note

Since elogind uses PAM to register user sessions, it is a good idea to build Polkit with PAM support so elogind can track Polkit sessions.

Optional (Required if building GNOME)

gobject-introspection-1.62.0

Optional

docbook-xml-4.5, docbook-xsl-1.79.2, GTK-Doc-1.32, and libxslt-1.1.34

Optional Runtime Dependencies

One polkit authentication agent for using polkit in the graphical environment: polkit-kde-agent in Plasma-5.18.1 for KDE, the agent built in gnome-shell-3.34.4 for GNOME3, polkit-gnome-0.105 for XFCE, and lxpolkit in LXSession-0.5.4 for LXDE.

Note

If libxslt-1.1.34 is installed, then docbook-xml-4.5 and docbook-xsl-1.79.2 are required. If you have installed libxslt-1.1.34, but you do not want to install any of the DocBook packages mentioned, you will need to use --disable-man-pages in the instructions below.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/polkit

Installation of Polkit

There should be a dedicated user and group to take control of the polkitd daemon after it is started. Issue the following commands as the root user:

groupadd -fg 27 polkitd &&
useradd -c "PolicyKit Daemon Owner" -d /etc/polkit-1 -u 27 \
        -g polkitd -s /bin/false polkitd

Fix an issue introduced in recent Polkit realeases with elogind:

patch -Np1 -i ../polkit-0.116-fix_elogind_detection-1.patch &&
autoreconf -fi

Install Polkit by running the following commands:

./configure --prefix=/usr        \
            --sysconfdir=/etc    \
            --localstatedir=/var \
            --disable-static     \
            --with-os-type=LFS   \
            --enable-libsystemd-login=no &&
make

To test the results, issue: make check. Note that system D-Bus daemon must be running for the testsuite to complete.

Now, as the root user:

make install

Command Explanations

--with-authfw=shadow: This switch enables the package to use the Shadow rather than the Linux PAM Authentication framework. Use it if you have not installed Linux PAM.

--disable-static: This switch prevents installation of static versions of the libraries.

--enable-gtk-doc: Use this parameter if GTK-Doc is installed and you wish to rebuild and install the API documentation.

--enable-libsystemd-login=no: This switch forces polkit to build with elogind support (if available) rather than systemd.

Configuring Polkit

PAM Configuration

Note

If you did not build Polkit with Linux PAM support, you can skip this section.

If you have built Polkit with Linux PAM support, you need to modify the default PAM configuration file which was installed by default to get Polkit to work correctly with BLFS. Issue the following commands as the root user to create the configuration file for Linux PAM:

cat > /etc/pam.d/polkit-1 << "EOF"
# Begin /etc/pam.d/polkit-1

auth     include        system-auth
account  include        system-account
password include        system-password
session  include        system-session

# End /etc/pam.d/polkit-1
EOF

Contents

Installed Programs: pkaction, pkcheck, pk-example-frobnicate, pkexec, pkttyagent and polkitd
Installed Libraries: libpolkit-agent-1.so and libpolkit-gobject-1.so
Installed Directories: /etc/polkit-1, /usr/include/polkit-1, /usr/lib/polkit-1, /usr/share/gtk-doc/html/polkit-1 and /usr/share/polkit-1

Short Descriptions

pkaction

is used to obtain information about registered PolicyKit actions.

pkcheck

is used to check whether a process is authorized for action.

pk-example-frobnicate

is an example program to test the pkexec command.

pkexec

allows an authorized user to execute a command as another user.

pkttyagent

is used to start a textual authentication agent for the subject.

polkitd

provides the org.freedesktop.PolicyKit1 D-Bus service on the system message bus.

libpolkit-agent-1.so

contains the Polkit authentication agent API functions.

libpolkit-gobject-1.so

contains the Polkit authorization API functions.

Last updated on 2020-02-17 12:12:55 -0800

Shadow-4.8.1

Introduction to Shadow

Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed CrackLib or Linux-PAM after your LFS system was completed. If you have installed CrackLib after LFS, then reinstalling Shadow will enable strong password support. If you have installed Linux-PAM, reinstalling Shadow will allow programs such as login and su to utilize PAM.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Shadow Dependencies

Required

Linux-PAM-1.3.1 or CrackLib-2.9.7

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/shadow

Installation of Shadow

Important

The installation commands shown below are for installations where Linux-PAM has been installed (with or without a CrackLib installation) and Shadow is being reinstalled to support the Linux-PAM installation.

If you are reinstalling Shadow to provide strong password support using the CrackLib library without using Linux-PAM, ensure you add the --with-libcrack parameter to the configure script below and also issue the following command:

sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs

Reinstall Shadow by running the following commands:

sed -i 's/groups$(EXEEXT) //' src/Makefile.in &&

find man -name Makefile.in -exec sed -i 's/groups\.1 / /'   {} \; &&
find man -name Makefile.in -exec sed -i 's/getspnam\.3 / /' {} \; &&
find man -name Makefile.in -exec sed -i 's/passwd\.5 / /'   {} \; &&

sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' \
    -e 's@/var/spool/mail@/var/mail@'                 \
    -i etc/login.defs                                 &&

sed -i 's/1000/999/' etc/useradd                      &&

./configure --sysconfdir=/etc --with-group-name-max-length=32 &&
make

This package does not come with a test suite.

Now, as the root user:

make install

Command Explanations

sed -i 's/groups$(EXEEXT) //' src/Makefile.in: This sed is used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred.

find man -name Makefile.in -exec ... {} \;: This command is used to suppress the installation of the groups man pages so the existing ones installed from the Coreutils package are not replaced.

sed -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e 's@/var/spool/mail@/var/mail@' -i etc/login.defs: Instead of using the default 'DES' method, this command modifies the installation to use the more secure 'SHA512' method of hashing passwords, which also allows passwords longer than eight characters. It also changes the obsolete /var/spool/mail location for user mailboxes that Shadow uses by default to the /var/mail location.

sed -i 's/1000/999/' etc/useradd: Make a minor change to make the default useradd consistent with the LFS groups file.

--with-group-name-max-length=32: The maximum user name is 32 characters. Make the maximum group name the same.

Configuring Shadow

Shadow's stock configuration for the useradd utility may not be desirable for your installation. One default parameter causes useradd to create a mailbox file for any newly created user. useradd will make the group ownership of this file to the mail group with 0660 permissions. If you would prefer that these mailbox files are not created by useradd, issue the following command as the root user:

sed -i 's/yes/no/' /etc/default/useradd

Configuring Linux-PAM to Work with Shadow

Note

The rest of this page is devoted to configuring Shadow to work properly with Linux-PAM. If you do not have Linux-PAM installed, and you reinstalled Shadow to support strong passwords via the CrackLib library, no further configuration is required.

Config Files

/etc/pam.d/* or alternatively /etc/pam.conf, /etc/login.defs and /etc/security/*

Configuration Information

Configuring your system to use Linux-PAM can be a complex task. The information below will provide a basic setup so that Shadow's login and password functionality will work effectively with Linux-PAM. Review the information and links on the Linux-PAM-1.3.1 page for further configuration information. For information specific to integrating Shadow, Linux-PAM and CrackLib, you can visit the following link:

Configuring /etc/login.defs

The login program currently performs many functions which Linux-PAM modules should now handle. The following sed command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these functions (a backup file named /etc/login.defs.orig is also created to preserve the original file's contents). Issue the following commands as the root user:

install -v -m644 /etc/login.defs /etc/login.defs.orig &&
for FUNCTION in FAIL_DELAY               \
                FAILLOG_ENAB             \
                LASTLOG_ENAB             \
                MAIL_CHECK_ENAB          \
                OBSCURE_CHECKS_ENAB      \
                PORTTIME_CHECKS_ENAB     \
                QUOTAS_ENAB              \
                CONSOLE MOTD_FILE        \
                FTMP_FILE NOLOGINS_FILE  \
                ENV_HZ PASS_MIN_LEN      \
                SU_WHEEL_ONLY            \
                CRACKLIB_DICTPATH        \
                PASS_CHANGE_TRIES        \
                PASS_ALWAYS_WARN         \
                CHFN_AUTH ENCRYPT_METHOD \
                ENVIRON_FILE
do
    sed -i "s/^${FUNCTION}/# &/" /etc/login.defs
done
Configuring the /etc/pam.d/ Files

As mentioned previously in the Linux-PAM instructions, Linux-PAM has two supported methods for configuration. The commands below assume that you've chosen to use a directory based configuration, where each program has its own configuration file. You can optionally use a single /etc/pam.conf configuration file by using the text from the files below, and supplying the program name as an additional first field for each line.

As the root user, replace the following Linux-PAM configuration files in the /etc/pam.d/ directory (or add the contents to the /etc/pam.conf file) using the following commands:

'login'
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login

# Set failure delay before next prompt to 3 seconds
auth      optional    pam_faildelay.so  delay=3000000

# Check to make sure that the user is allowed to login
auth      requisite   pam_nologin.so

# Check to make sure that root is allowed to login
# Disabled by default. You will need to create /etc/securetty
# file for this module to function. See man 5 securetty.
#auth      required    pam_securetty.so

# Additional group memberships - disabled by default
#auth      optional    pam_group.so

# include system auth settings
auth      include     system-auth

# check access for the user
account   required    pam_access.so

# include system account settings
account   include     system-account

# Set default environment variables for the user
session   required    pam_env.so

# Set resource limits for the user
session   required    pam_limits.so

# Display date of last login - Disabled by default
#session   optional    pam_lastlog.so

# Display the message of the day - Disabled by default
#session   optional    pam_motd.so

# Check user's mail - Disabled by default
#session   optional    pam_mail.so      standard quiet

# include system session and password settings
session   include     system-session
password  include     system-password

# End /etc/pam.d/login
EOF
'passwd'
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd

password  include     system-password

# End /etc/pam.d/passwd
EOF
'su'
cat > /etc/pam.d/su << "EOF"
# Begin /etc/pam.d/su

# always allow root
auth      sufficient  pam_rootok.so

# Allow users in the wheel group to execute su without a password
# disabled by default
#auth      sufficient  pam_wheel.so trust use_uid

# include system auth settings
auth      include     system-auth

# limit su to users in the wheel group
auth      required    pam_wheel.so use_uid

# include system account settings
account   include     system-account

# Set default environment variables for the service user
session   required    pam_env.so

# include system session settings
session   include     system-session

# End /etc/pam.d/su
EOF
'chage'
cat > /etc/pam.d/chage << "EOF"
# Begin /etc/pam.d/chage

# always allow root
auth      sufficient  pam_rootok.so

# include system auth, account, and session settings
auth      include     system-auth
account   include     system-account
session   include     system-session

# Always permit for authentication updates
password  required    pam_permit.so

# End /etc/pam.d/chage
EOF
Other common programs
for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
               groupmems groupmod newusers useradd userdel usermod
do
    install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
    sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}
done

Warning

At this point, you should do a simple test to see if Shadow is working as expected. Open another terminal and log in as a user, then su to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. One obvious reason for an error is if the user is not in group wheel. You may want to run (as root): usermod -a -G wheel <user>. Any other error is the sign of an error in the above procedure. You can also run the test suite from the Linux-PAM package to assist you in determining the problem. If you cannot find and fix the error, you should recompile Shadow adding the --without-libpam switch to the configure command in the above instructions (also move the /etc/login.defs.orig backup file to /etc/login.defs). If you fail to do this and the errors remain, you will be unable to log into your system.

Configuring Login Access

Instead of using the /etc/login.access file for controlling access to the system, Linux-PAM uses the pam_access.so module along with the /etc/security/access.conf file. Rename the /etc/login.access file using the following command:

[ -f /etc/login.access ] && mv -v /etc/login.access{,.NOUSE}
Configuring Resource Limits

Instead of using the /etc/limits file for limiting usage of system resources, Linux-PAM uses the pam_limits.so module along with the /etc/security/limits.conf file. Rename the /etc/limits file using the following command:

[ -f /etc/limits ] && mv -v /etc/limits{,.NOUSE}

Caution

Be sure to test the login capabilities of the system before logging out. Errors in the configuration can cause a permanent lockout requiring a boot from an external source to correct the problem.

Contents

A list of the installed files, along with their short descriptions can be found at ../../../../lfs/view/9.1/chapter06/shadow.html#contents-shadow .

Last updated on 2020-02-15 08:54:30 -0800

ssh-askpass-8.2p1

Introduction to ssh-askpass

The ssh-askpass is a generic executable name for many packages, with similar names, that provide a interactive X service to grab password for packages requiring administrative privileges to be run. It prompts the user with a window box where the necessary password can be inserted. Here, we choose Damien Miller's package distributed in the OpenSSH tarball.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

ssh-askpass Dependencies

Required

GTK+-2.24.32, Sudo-1.8.31 (runtime), Xorg Libraries, and X Window System (runtime)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/ssh-askpass

Installation of ssh-askpass

Install ssh-askpass by running the following commands:

cd contrib &&
make gnome-ssh-askpass2

Now, as the root user:

install -v -d -m755 /usr/libexec/openssh/contrib  &&
install -v -m755    gnome-ssh-askpass2 \
                    /usr/libexec/openssh/contrib  &&
ln -sv -f contrib/gnome-ssh-askpass2 \
                    /usr/libexec/openssh/ssh-askpass

The use of /usr/libexec/openssh/contrib and a symlink is justified by the eventual necessity of a different program for that service.

Configuring ssh-askpass

Configuration Information

As the root user, configure Sudo-1.8.31 to use ssh-askpass:

cat >> /etc/sudo.conf << "EOF" &&
# Path to askpass helper program
Path askpass /usr/libexec/openssh/ssh-askpass
EOF
chmod -v 0644 /etc/sudo.conf

If a given graphical <application> requires administrative privileges, use sudo -A <application> from an x-terminal, from a Window Manager menu and/or replace "Exec=<application> ..." by "Exec=sudo -A <application> ..." in the <application>.desktop file.

Contents

Installed Programs: None
Installed Library: None
Installed Directory: /usr/libexec/openssh/contrib

Last updated on 2020-02-16 18:46:23 -0800

stunnel-5.56

Introduction to stunnel

The stunnel package contains a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) so you can easily communicate with clients over secure channels. stunnel can be used to add SSL functionality to commonly used Inetd daemons such as POP-2, POP-3, and IMAP servers, along with standalone daemons such as NNTP, SMTP, and HTTP. stunnel can also be used to tunnel PPP over network sockets without changes to the server package source code.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

stunnel Dependencies

Optional

netcat (required for tests), tcpwrappers and TOR

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/stunnel

Installation of stunnel

The stunnel daemon will be run in a chroot jail by an unprivileged user. Create the new user and group using the following commands as the root user:

groupadd -g 51 stunnel &&
useradd -c "stunnel Daemon" -d /var/lib/stunnel \
        -g stunnel -s /bin/false -u 51 stunnel

Note

A signed SSL Certificate and a Private Key is necessary to run the stunnel daemon. After the package is installed, there are instructions to generate them. However, if you own or have already created a signed SSL Certificate you wish to use, copy it to /etc/stunnel/stunnel.pem before starting the build (ensure only root has read and write access). The .pem file must be formatted as shown below:

-----BEGIN PRIVATE KEY-----
<many encrypted lines of private key>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<many encrypted lines of certificate>
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
<encrypted lines of dh parms>
-----END DH PARAMETERS-----

Install stunnel by running the following commands:

Note

For some systems with binutils versions prior to 2.25, configure may fail. If necessary, fix it either with:

sed -i '/LDFLAGS.*static_flag/ s/^/#/' configure

or, if LLVM-9.0.1 with Clang is installed, you can replace ./configure ... with CC=clang ./configure ... in the first command below.

./configure --prefix=/usr        \
            --sysconfdir=/etc    \
            --localstatedir=/var \
            --disable-systemd    &&
make

If you have installed the optional netcat application, the regression tests can be run with make check.

Now, as the root user:

make docdir=/usr/share/doc/stunnel-5.56 install

If you do not already have a signed SSL Certificate and Private Key, create the stunnel.pem file in the /etc/stunnel directory using the command below. You will be prompted to enter the necessary information. Ensure you reply to the

Common Name (FQDN of your server) [localhost]:

prompt with the name or IP address you will be using to access the service(s).

To generate a certificate, as the root user, issue:

make cert

Command Explanations

--disable-systemd: This switch disables systemd socket activation support which is not available in BLFS.

make docdir=... install: This command installs the package and changes the documentation installation directory to standard naming conventions.

Configuring stunnel

Config Files

/etc/stunnel/stunnel.conf

Configuration Information

As the root user, create the directory used for the .pid file created when the stunnel daemon starts:

install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run &&
chown stunnel:stunnel /var/lib/stunnel

Next, create a basic /etc/stunnel/stunnel.conf configuration file using the following commands as the root user:

cat >/etc/stunnel/stunnel.conf << "EOF" 
; File: /etc/stunnel/stunnel.conf

; Note: The pid and output locations are relative to the chroot location.

pid    = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
cert   = /etc/stunnel/stunnel.pem

;debug = 7
;output = stunnel.log

;[https]
;accept  = 443
;connect = 80
;; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
;; Microsoft implementations do not use SSL close-notify alert and thus
;; they are vulnerable to truncation attacks
;TIMEOUTclose = 0

EOF

Finally, add the service(s) you wish to encrypt to the configuration file. The format is as follows:

[<service>]
accept  = <hostname:portnumber>
connect = <hostname:portnumber>

If you use stunnel to encrypt a daemon started from [x]inetd, you may need to disable that daemon in the /etc/[x]inetd.conf file and enable a corresponding <service>_stunnel service. You may have to add an appropriate entry in /etc/services as well.

For a full explanation of the commands and syntax used in the configuration file, issue man stunnel.

Boot Script

To automatically start the stunnel daemon when the system is booted, install the /etc/rc.d/init.d/stunnel bootscript from the blfs-bootscripts-20191204 package.

make install-stunnel

Contents

Installed Programs: stunnel and stunnel3
Installed Library: libstunnel.so
Installed Directories: /{etc,usr/lib,var/lib}/stunnel and /usr/share/doc/stunnel-5.56

Short Descriptions

stunnel

is a program designed to work as an SSL encryption wrapper between remote clients and local ({x}inetd-startable) or remote servers.

stunnel3

is a Perl wrapper script to use stunnel 3.x syntax with stunnel >=4.05.

libstunnel.so

contains the API functions required by stunnel.

Last updated on 2020-02-20 12:41:28 -0800

Sudo-1.8.31

Introduction to Sudo

The Sudo package allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Sudo Dependencies

Optional

Linux-PAM-1.3.1, MIT Kerberos V5-1.18, OpenLDAP-2.4.49, MTA (that provides a sendmail command), AFS, FWTK, and Opie

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/sudo

Installation of Sudo

First, fix a problem that prevents installation from completion:

sed -e '/^pre-install:/{N;s@;@ -a -r $(sudoersdir)/sudoers;@}' \
    -i plugins/sudoers/Makefile.in

Install Sudo by running the following commands:

./configure --prefix=/usr              \
            --libexecdir=/usr/lib      \
            --with-secure-path         \
            --with-all-insults         \
            --with-env-editor          \
            --docdir=/usr/share/doc/sudo-1.8.31 \
            --with-passprompt="[sudo] password for %p: " &&
make

To test the results, issue: env LC_ALL=C make check 2>&1 | tee ../make-check.log. Check the results with grep failed ../make-check.log. One test, test3, is known to fail if the tests are run as the root user.

Now, as the root user:

make install &&
ln -sfv libsudo_util.so.0.0.0 /usr/lib/sudo/libsudo_util.so.0

Command Explanations

--libexecdir=/usr/lib: This switch controls where private programs are installed. Everything in that directory is a library, so they belong under /usr/lib instead of /usr/libexec.

--with-secure-path: This switch transparently adds /sbin and /usr/sbin directories to the PATH environment variable.

--with-all-insults: This switch includes all the sudo insult sets.

--with-env-editor: This switch enables use of the environment variable EDITOR for visudo.

--with-passprompt: This switch sets the password prompt.

--without-pam: This switch avoids building Linux-PAM support when Linux-PAM is installed on the system.

Note

There are many options to sudo's configure command. Check the configure --help output for a complete list.

ln -sfv libsudo_util...: Works around a bug in the installation process, which links to the previously installed version (if there is one) instead of the new one.

Configuring Sudo

Config File

/etc/sudoers

Configuration Information

The sudoers file can be quite complicated. It is composed of two types of entries: aliases (basically variables) and user specifications (which specify who may run what). The installation installs a default configuration that has no privileges installed for any user.

A couple of common configuration chanes are to set the path for the super user and to allow members of the wheel group to execute all commands after providing their own credientials. Use the following commands to create the /etc/sudoers.d/sudo configuration file as the root user:

cat > /etc/sudoers.d/sudo << "EOF"
Defaults secure_path="/usr/bin:/bin:/usr/sbin:/sbin"
%wheel ALL=(ALL) ALL
EOF

For details, see man sudoers.

Note

The Sudo developers highly recommend using the visudo program to edit the sudoers file. This will provide basic sanity checking like syntax parsing and file permission to avoid some possible mistakes that could lead to a vulnerable configuration.

If PAM is installed on the system, Sudo is built with PAM support. In that case, issue the following command as the root user to create the PAM configuration file:

cat > /etc/pam.d/sudo << "EOF"
# Begin /etc/pam.d/sudo

# include the default auth settings
auth      include     system-auth

# include the default account settings
account   include     system-account

# Set default environment variables for the service user
session   required    pam_env.so

# include system session defaults
session   include     system-session

# End /etc/pam.d/sudo
EOF
chmod 644 /etc/pam.d/sudo

Contents

Installed Programs: cvtsudoers, sudo, sudoedit (symlink), sudoreplay, and visudo
Installed Libraries: group_file.so, libsudo_util.so, sudoers.so, sudo_noexec.so, and system_group.so
Installed Directories: /etc/sudoers.d, /usr/lib/sudo, /usr/share/doc/sudo-1.8.31, and /var/{lib,run}/sudo

Short Descriptions

cvtsudoers

converts between sudoers file formats.

sudo

executes a command as another user as permitted by the /etc/sudoers configuration file.

sudoedit

is a symlink to sudo that implies the -e option to invoke an editor as another user.

sudoreplay

is used to play back or list the output logs created by sudo.

visudo

allows for safer editing of the sudoers file.

Last updated on 2020-02-15 08:54:30 -0800

Tripwire-2.4.3.7

Introduction to Tripwire

The Tripwire package contains programs used to verify the integrity of the files on a given system.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Tripwire Dependencies

Optional

An MTA

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/tripwire

Installation of Tripwire

Compile Tripwire by running the following commands:

sed -e '/^CLOBBER/s/false/true/'         \
    -e 's|TWDB="${prefix}|TWDB="/var|'   \
    -e '/TWMAN/ s|${prefix}|/usr/share|' \
    -e '/TWDOCS/s|${prefix}/doc/tripwire|/usr/share/doc/tripwire-2.4.3.7|' \
    -i installer/install.cfg                               &&

find . -name Makefile.am | xargs                           \
    sed -i 's/^[[:alpha:]_]*_HEADERS.*=/noinst_HEADERS =/' &&

sed '/dist/d' -i man/man?/Makefile.am                      &&
autoreconf -fi                                             &&

./configure --prefix=/usr --sysconfdir=/etc/tripwire       &&
make

Note

The default configuration is to use a local MTA. If you don't have an MTA installed and have no wish to install one, modify install/install.cfg to use an SMTP server instead. Otherwise the install will fail.

This package does not come with a test suite.

Now, as the root user:

make install &&
cp -v policy/*.txt /usr/share/doc/tripwire-2.4.3.7

Note

During make install, several questions are asked, including passwords. If you want to make a script, you have to apply a sed before running make install:

sed -i -e 's@installer/install.sh@& -n -s <site-password> -l <local-password>@' Makefile

Of course, you should do this with dummy passwords and change them later.

Another issue when scripting is that the installer exits when the standard input is not a terminal. You may disable this behavior with the following sed:

sed '/-t 0/,+3d' -i installer/install.sh

Command Explanations

sed ... installer/install.cfg: This command tells the package to install the program database and reports in /var/lib/tripwire and sets the proper location for man pages and documentation.

find ..., sed ..., and autoreconf -fi: The build system is unusable as is, and has to be modified for the build to succeed.

make install: This command creates the Tripwire security keys as well as installing the binaries. There are two keys: a site key and a local key which are stored in /etc/tripwire/.

cp -v policy/*.txt /usr/doc/tripwire-2.4.3.7: This command installs the tripwire sample policy files with the other tripwire documentation.i

Configuring Tripwire

Config Files

/etc/tripwire/*

Configuration Information

Tripwire uses a policy file to determine which files are integrity checked. The default policy file (/etc/tripwire/twpol.txt) is for a default installation and will need to be updated for your system.

Policy files should be tailored to each individual distribution and/or installation. Some example policy files can be found in /usr/share/doc/tripwire/.

If desired, copy the policy file you'd like to try into /etc/tripwire/ instead of using the default policy file, twpol.txt. It is, however, recommended that you edit your policy file. Get ideas from the examples above and read /usr/share/doc/tripwire/policyguide.txt for additional information. twpol.txt is a good policy file for learning about Tripwire as it will note any changes to the file system and can even be used as an annoying way of keeping track of changes for uninstallation of software.

After your policy file has been edited to your satisfaction you may begin the configuration steps (perform as the root) user:

twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \
    /etc/tripwire/twpol.txt &&
tripwire --init

Depending on your system and the contents of the policy file, the initialization phase above can take a relatively long time.

Usage Information

Tripwire will identify file changes in the critical system files specified in the policy file. Using Tripwire while making frequent changes to these directories will flag all these changes. It is most useful after a system has reached a configuration that the user considers stable.

To use Tripwire after creating a policy file to run a report, use the following command:

tripwire --check > /etc/tripwire/report.txt

View the output to check the integrity of your files. An automatic integrity report can be produced by using a cron facility to schedule the runs.

Reports are stored in binary and, if desired, encrypted. View reports, as the root user, with:

twprint --print-report -r /var/lib/tripwire/report/<report-name.twr>

After you run an integrity check, you should examine the report (or email) and then modify the Tripwire database to reflect the changed files on your system. This is so that Tripwire will not continually notify you that files you intentionally changed are a security violation. To do this you must first ls -l /var/lib/tripwire/report/ and note the name of the newest file which starts with your system name as presented by the command uname -n and ends in .twr. These files were created during report creation and the most current one is needed to update the Tripwire database of your system. As the root user, type in the following command making the appropriate report name:

tripwire --update --twrfile /var/lib/tripwire/report/<report-name.twr>

You will be placed into Vim with a copy of the report in front of you. If all the changes were good, then just type :wq and after entering your local key, the database will be updated. If there are files which you still want to be warned about, remove the 'x' before the filename in the report and type :wq.

Changing the Policy File

If you are unhappy with your policy file and would like to modify it or use a new one, modify the policy file and then execute the following commands as the root user:

twadmin --create-polfile /etc/tripwire/twpol.txt &&
tripwire --init

Contents

Installed Programs: siggen, tripwire, twadmin, and twprint
Installed Libraries: None
Installed Directories: /etc/tripwire, /var/lib/tripwire, and /usr/share/doc/tripwire-2.4.3.7

Short Descriptions

siggen

is a signature gathering utility that displays the hash function values for the specified files.

tripwire

is the main file integrity checking program.

twadmin

administrative and utility tool used to perform certain administrative functions related to Tripwire files and configuration options.

twprint

prints Tripwire database and report files in clear text format.

Last updated on 2020-02-20 12:41:28 -0800

volume_key-0.3.12

Introduction to volume_key

The volume_key package provides a library for manipulating storage volume encryption keys and storing them separately from volumes to handle forgotten passphrases.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

volume_key Dependencies

Required

cryptsetup-2.0.6, GLib-2.62.4, GPGME-1.13.1, and NSS-3.50

Recommended
Optional

Python-2.7.17

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/volume_key

Installation of volume_key

Install volume_key by running the following commands:

Note

This package expands to the directory volume_key-volume_key-0.3.12.

autoreconf -fiv              &&
./configure --prefix=/usr    \
            --without-python &&
make

This package does not come with a functioning test suite.

Now, as the root user:

make install

Command Explanations

--without-python: This parameter prevents building the Python 2 bindings, if Python-2.7.17 is installed.

--without-python3: Use this option if you do not want to build the Python 3 bindings. In this case, SWIG-4.0.1 is not needed.

Contents

Installed Program: volume_key
Installed Library: libvolume_key.so
Installed Directory: /usr/include/volume_key

Short Descriptions

volume_key

manages encrypted volume keys and passphrases.

volume_key.so

contains API functions for managing encrypted volume keys.

Last updated on 2015-09-25 08:48:24 -0500

Chapter 5. File Systems and Disk Management

Journaling file systems reduce the time needed to recover a file system that was not unmounted properly. While this can be extremely important in reducing downtime for servers, it has also become popular for desktop environments. This chapter contains other journaling file systems you can use instead of the default LFS extended file system (ext2/3/4). It also provides introductory material on managing disk arrays.

About initramfs

The only purpose of an initramfs is to mount the root filesystem. The initramfs is a complete set of directories that you would find on a normal root filesystem. It is bundled into a single cpio archive and compressed with one of several compression algorithms.

At boot time, the boot loader loads the kernel and the initramfs image into memory and starts the kernel. The kernel checks for the presence of the initramfs and, if found, mounts it as / and runs /init. The init program is typically a shell script. Note that the boot process takes longer, possibly significantly longer, if an initramfs is used.

For most distributions, kernel modules are the biggest reason to have an initramfs. In a general distribution, there are many unknowns such as file system types and disk layouts. In a way, this is the opposite of LFS where the system capabilities and layout are known and a custom kernel is normally built. In this situation, an initramfs is rarely needed.

There are only four primary reasons to have an initramfs in the LFS environment: loading the rootfs from a network, loading it from an LVM logical volume, having an encrypted rootfs where a password is required, or for the convenience of specifying the rootfs as a LABEL or UUID. Anything else usually means that the kernel was not configured properly.

Building an initramfs

If you do decide to build an initramfs, the following scripts will provide a basis to do it. The scripts will allow specifying a rootfs via partition UUID or partition LABEL or a rootfs on an LVM logical volume. They do not support an encrypted root file system or mounting the rootfs over a network card. For a more complete capability see the LFS Hints or dracut.

To install these scripts, run the following commands as the root user:

cat > /sbin/mkinitramfs << "EOF"
#!/bin/bash
# This file based in part on the mkinitramfs script for the LFS LiveCD
# written by Alexander E. Patrakov and Jeremy Huntwork.

copy()
{
  local file

  if [ "$2" == "lib" ]; then
    file=$(PATH=/lib:/usr/lib type -p $1)
  else
    file=$(type -p $1)
  fi

  if [ -n "$file" ] ; then
    cp $file $WDIR/$2
  else
    echo "Missing required file: $1 for directory $2"
    rm -rf $WDIR
    exit 1
  fi
}

if [ -z $1 ] ; then
  INITRAMFS_FILE=initrd.img-no-kmods
else
  KERNEL_VERSION=$1
  INITRAMFS_FILE=initrd.img-$KERNEL_VERSION
fi

if [ -n "$KERNEL_VERSION" ] && [ ! -d "/lib/modules/$1" ] ; then
  echo "No modules directory named $1"
  exit 1
fi

printf "Creating $INITRAMFS_FILE... "

binfiles="sh cat cp dd killall ls mkdir mknod mount "
binfiles="$binfiles umount sed sleep ln rm uname"
binfiles="$binfiles readlink basename"

# Systemd installs udevadm in /bin. Other udev implementations have it in /sbin
if [ -x /bin/udevadm ] ; then binfiles="$binfiles udevadm"; fi

sbinfiles="modprobe blkid switch_root"

#Optional files and locations
for f in mdadm mdmon udevd udevadm; do
  if [ -x /sbin/$f ] ; then sbinfiles="$sbinfiles $f"; fi
done

unsorted=$(mktemp /tmp/unsorted.XXXXXXXXXX)

DATADIR=/usr/share/mkinitramfs
INITIN=init.in

# Create a temporary working directory
WDIR=$(mktemp -d /tmp/initrd-work.XXXXXXXXXX)

# Create base directory structure
mkdir -p $WDIR/{bin,dev,lib/firmware,run,sbin,sys,proc,usr}
mkdir -p $WDIR/etc/{modprobe.d,udev/rules.d}
touch $WDIR/etc/modprobe.d/modprobe.conf
ln -s lib $WDIR/lib64
ln -s ../bin $WDIR/usr/bin

# Create necessary device nodes
mknod -m 640 $WDIR/dev/console c 5 1
mknod -m 664 $WDIR/dev/null    c 1 3

# Install the udev configuration files
if [ -f /etc/udev/udev.conf ]; then
  cp /etc/udev/udev.conf $WDIR/etc/udev/udev.conf
fi

for file in $(find /etc/udev/rules.d/ -type f) ; do
  cp $file $WDIR/etc/udev/rules.d
done

# Install any firmware present
cp -a /lib/firmware $WDIR/lib

# Copy the RAID configuration file if present
if [ -f /etc/mdadm.conf ] ; then
  cp /etc/mdadm.conf $WDIR/etc
fi

# Install the init file
install -m0755 $DATADIR/$INITIN $WDIR/init

if [  -n "$KERNEL_VERSION" ] ; then
  if [ -x /bin/kmod ] ; then
    binfiles="$binfiles kmod"
  else
    binfiles="$binfiles lsmod"
    sbinfiles="$sbinfiles insmod"
  fi
fi

# Install basic binaries
for f in $binfiles ; do
  if [ -e /bin/$f ]; then d="/bin"; else d="/usr/bin"; fi
  ldd $d/$f | sed "s/\t//" | cut -d " " -f1 >> $unsorted
  copy $d/$f bin
done

# Add lvm if present
if [ -x /sbin/lvm ] ; then sbinfiles="$sbinfiles lvm dmsetup"; fi

for f in $sbinfiles ; do
  ldd /sbin/$f | sed "s/\t//" | cut -d " " -f1 >> $unsorted
  copy $f sbin
done

# Add udevd libraries if not in /sbin
if [ -x /lib/udev/udevd ] ; then
  ldd /lib/udev/udevd | sed "s/\t//" | cut -d " " -f1 >> $unsorted
elif [ -x /lib/systemd/systemd-udevd ] ; then
  ldd /lib/systemd/systemd-udevd | sed "s/\t//" | cut -d " " -f1 >> $unsorted
fi

# Add module symlinks if appropriate
if [ -n "$KERNEL_VERSION" ] && [ -x /bin/kmod ] ; then
  ln -s kmod $WDIR/bin/lsmod
  ln -s kmod $WDIR/bin/insmod
fi

# Add lvm symlinks if appropriate
# Also copy the lvm.conf file
if  [ -x /sbin/lvm ] ; then
  ln -s lvm $WDIR/sbin/lvchange
  ln -s lvm $WDIR/sbin/lvrename
  ln -s lvm $WDIR/sbin/lvextend
  ln -s lvm $WDIR/sbin/lvcreate
  ln -s lvm $WDIR/sbin/lvdisplay
  ln -s lvm $WDIR/sbin/lvscan

  ln -s lvm $WDIR/sbin/pvchange
  ln -s lvm $WDIR/sbin/pvck
  ln -s lvm $WDIR/sbin/pvcreate
  ln -s lvm $WDIR/sbin/pvdisplay
  ln -s lvm $WDIR/sbin/pvscan

  ln -s lvm $WDIR/sbin/vgchange
  ln -s lvm $WDIR/sbin/vgcreate
  ln -s lvm $WDIR/sbin/vgscan
  ln -s lvm $WDIR/sbin/vgrename
  ln -s lvm $WDIR/sbin/vgck
  # Conf file(s)
  cp -a /etc/lvm $WDIR/etc
fi

# Install libraries
sort $unsorted | uniq | while read library ; do
# linux-vdso and linux-gate are pseudo libraries and do not correspond to a file
# libsystemd-shared is in /lib/systemd, so it is not found by copy, and
# it is copied below anyway
  if [[ "$library" == linux-vdso.so.1 ]] ||
     [[ "$library" == linux-gate.so.1 ]] ||
     [[ "$library" == libsystemd-shared* ]]; then
    continue
  fi

  copy $library lib
done

if [ -d /lib/udev ]; then
  cp -a /lib/udev $WDIR/lib
fi
if [ -d /lib/systemd ]; then
  cp -a /lib/systemd $WDIR/lib
fi
if [ -d /lib/elogind ]; then
  cp -a /lib/elogind $WDIR/lib
fi

# Install the kernel modules if requested
if [ -n "$KERNEL_VERSION" ]; then
  find                                                                        \
     /lib/modules/$KERNEL_VERSION/kernel/{crypto,fs,lib}                      \
     /lib/modules/$KERNEL_VERSION/kernel/drivers/{block,ata,md,firewire}      \
     /lib/modules/$KERNEL_VERSION/kernel/drivers/{scsi,message,pcmcia,virtio} \
     /lib/modules/$KERNEL_VERSION/kernel/drivers/usb/{host,storage}           \
     -type f 2> /dev/null | cpio --make-directories -p --quiet $WDIR

  cp /lib/modules/$KERNEL_VERSION/modules.{builtin,order}                     \
            $WDIR/lib/modules/$KERNEL_VERSION

  depmod -b $WDIR $KERNEL_VERSION
fi

( cd $WDIR ; find . | cpio -o -H newc --quiet | gzip -9 ) > $INITRAMFS_FILE

# Prepare early loading of microcode if available
if ls /lib/firmware/intel-ucode/* >/dev/null 2>&1 ||
   ls /lib/firmware/amd-ucode/*   >/dev/null 2>&1; then

# first empty WDIR to reuse it
  rm -r $WDIR/*

  DSTDIR=$WDIR/kernel/x86/microcode
  mkdir -p $DSTDIR

  if [ -d /lib/firmware/amd-ucode ]; then
    cat /lib/firmware/amd-ucode/microcode_amd*.bin > $DSTDIR/AuthenticAMD.bin
  fi

  if [ -d /lib/firmware/intel-ucode ]; then
    cat /lib/firmware/intel-ucode/* > $DSTDIR/GenuineIntel.bin
  fi

  ( cd $WDIR; find . | cpio -o -H newc --quiet ) > microcode.img
  cat microcode.img $INITRAMFS_FILE > tmpfile
  mv tmpfile $INITRAMFS_FILE
  rm microcode.img
fi

# Remove the temporary directories and files
rm -rf $WDIR $unsorted
printf "done.\n"

EOF

chmod 0755 /sbin/mkinitramfs
mkdir -p /usr/share/mkinitramfs &&
cat > /usr/share/mkinitramfs/init.in << "EOF"
#!/bin/sh

PATH=/bin:/usr/bin:/sbin:/usr/sbin
export PATH

problem()
{
   printf "Encountered a problem!\n\nDropping you to a shell.\n\n"
   sh
}

no_device()
{
   printf "The device %s, which is supposed to contain the\n" $1
   printf "root file system, does not exist.\n"
   printf "Please fix this problem and exit this shell.\n\n"
}

no_mount()
{
   printf "Could not mount device %s\n" $1
   printf "Sleeping forever. Please reboot and fix the kernel command line.\n\n"
   printf "Maybe the device is formatted with an unsupported file system?\n\n"
   printf "Or maybe filesystem type autodetection went wrong, in which case\n"
   printf "you should add the rootfstype=... parameter to the kernel command line.\n\n"
   printf "Available partitions:\n"
}

do_mount_root()
{
   mkdir /.root
   [ -n "$rootflags" ] && rootflags="$rootflags,"
   rootflags="$rootflags$ro"

   case "$root" in
      /dev/* ) device=$root ;;
      UUID=* ) eval $root; device="/dev/disk/by-uuid/$UUID"  ;;
      LABEL=*) eval $root; device="/dev/disk/by-label/$LABEL" ;;
      ""     ) echo "No root device specified." ; problem    ;;
   esac

   while [ ! -b "$device" ] ; do
       no_device $device
       problem
   done

   if ! mount -n -t "$rootfstype" -o "$rootflags" "$device" /.root ; then
       no_mount $device
       cat /proc/partitions
       while true ; do sleep 10000 ; done
   else
       echo "Successfully mounted device $root"
   fi
}

do_try_resume()
{
   case "$resume" in
      UUID=* ) eval $resume; resume="/dev/disk/by-uuid/$UUID"  ;;
      LABEL=*) eval $resume; resume="/dev/disk/by-label/$LABEL" ;;
   esac

   if $noresume || ! [ -b "$resume" ]; then return; fi

   ls -lH "$resume" | ( read x x x x maj min x
       echo -n ${maj%,}:$min > /sys/power/resume )
}

init=/sbin/init
root=
rootdelay=
rootfstype=auto
ro="ro"
rootflags=
device=
resume=
noresume=false

mount -n -t devtmpfs devtmpfs /dev
mount -n -t proc     proc     /proc
mount -n -t sysfs    sysfs    /sys
mount -n -t tmpfs    tmpfs    /run

read -r cmdline < /proc/cmdline

for param in $cmdline ; do
  case $param in
    init=*      ) init=${param#init=}             ;;
    root=*      ) root=${param#root=}             ;;
    rootdelay=* ) rootdelay=${param#rootdelay=}   ;;
    rootfstype=*) rootfstype=${param#rootfstype=} ;;
    rootflags=* ) rootflags=${param#rootflags=}   ;;
    resume=*    ) resume=${param#resume=}         ;;
    noresume    ) noresume=true                   ;;
    ro          ) ro="ro"                         ;;
    rw          ) ro="rw"                         ;;
  esac
done

# udevd location depends on version
if [ -x /sbin/udevd ]; then
  UDEVD=/sbin/udevd
elif [ -x /lib/udev/udevd ]; then
  UDEVD=/lib/udev/udevd
elif [ -x /lib/systemd/systemd-udevd ]; then
  UDEVD=/lib/systemd/systemd-udevd
else
  echo "Cannot find udevd nor systemd-udevd"
  problem
fi

${UDEVD} --daemon --resolve-names=never
udevadm trigger
udevadm settle

if [ -f /etc/mdadm.conf ] ; then mdadm -As                       ; fi
if [ -x /sbin/vgchange  ] ; then /sbin/vgchange -a y > /dev/null ; fi
if [ -n "$rootdelay"    ] ; then sleep "$rootdelay"              ; fi

do_try_resume # This function will not return if resuming from disk
do_mount_root

killall -w ${UDEVD##*/}

exec switch_root /.root "$init" "$@"

EOF

Using an initramfs

Required Runtime Dependency

cpio-2.13

Other Runtime Dependencies

LVM2-2.03.08 and/or mdadm-4.1 must be installed before generating the initramfs, if the system partition uses them.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/initramfs

To build an initramfs, run the following as the root user:

mkinitramfs [KERNEL VERSION]

The optional argument is the directory where the appropriate kernel modules are located. This must be a subdirectory of /lib/modules. If no modules are specified, then the initramfs is named initrd.img-no-kmods. If a kernel version is specified, the initrd is named initrd.img-$KERNEL_VERSION and is only appropriate for the specific kernel specified. The output file will be placed in the current directory.

If early loading of microcode is needed (see the section called “Microcode updates for CPUs”), you can install the appropriate blob or container in /lib/firmware. It will be automatically added to the initrd when running mkinitramfs.

After generating the initrd, copy it to the /boot directory.

Now edit /boot/grub/grub.cfg and add a new menuentry. Below are several examples.

# Generic initramfs and root fs identified by UUID
menuentry "LFS Dev (LFS-7.0-Feb14) initrd, Linux 3.0.4"
{
  linux  /vmlinuz-3.0.4-lfs-20120214 root=UUID=54b934a9-302d-415e-ac11-4988408eb0a8 ro
  initrd /initrd.img-no-kmods
}
# Generic initramfs and root fs on LVM partition
menuentry "LFS Dev (LFS-7.0-Feb18) initrd lvm, Linux 3.0.4"
{
  linux  /vmlinuz-3.0.4-lfs-20120218 root=/dev/mapper/myroot ro
  initrd /initrd.img-no-kmods
}
# Specific initramfs and root fs identified by LABEL
menuentry "LFS Dev (LFS-7.1-Feb20) initrd label, Linux 3.2.6"
{
  linux  /vmlinuz-3.2.6-lfs71-120220 root=LABEL=lfs71 ro
  initrd /initrd.img-3.2.6-lfs71-120220
}

Finally, reboot the system and select the desired system.

Last updated on 2020-01-09 08:18:14 -0800

btrfs-progs-5.4.1

Introduction to btrfs-progs

The btrfs-progs package contains administration and debugging tools for the B-tree file system (btrfs).

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Btrfs-progs Dependencies

Required

LZO-2.10

Recommended
Optional

LVM2-2.03.08 (dmsetup is used in tests), Python-2.7.17 (python bindings), and reiserfsprogs-3.6.27 (for tests)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/xfs

Kernel Configuration

Enable the following option in the kernel configuration and recompile the kernel:

File systems --->
  <*/M> Btrfs filesystem support [CONFIG_BTRFS_FS]

Note

CONFIG_BTRFS_FS_POSIX_ACL and CONFIG_REISERFS_FS_XATTR are required for some tests. Other Btrfs options in the kernel are optional.

Installation of btrfs-progs

Install btrfs-progs by running the following commands:

./configure --prefix=/usr  \
            --bindir=/bin  \
            --libdir=/lib  \
            --disable-zstd &&
make

Note

Some tests require grep built with perl regular expressions. To obtain this, rebuild grep with the LFS Chapter 6 instructions after installing PCRE-8.44.

Before running tests, build a support program and disable several that fail:

make fssum &&

sed -i '/found/s/^/: #/' tests/convert-tests.sh &&

mv tests/convert-tests/010-reiserfs-basic/test.sh{,.broken}                 &&
mv tests/convert-tests/011-reiserfs-delete-all-rollback/test.sh{,.broken}   &&
mv tests/convert-tests/012-reiserfs-large-hole-extent/test.sh{,.broken}     &&
mv tests/convert-tests/013-reiserfs-common-inode-flags/test.sh{,.broken}    &&
mv tests/convert-tests/014-reiserfs-tail-handling/test.sh{,.broken}         &&
mv tests/misc-tests/025-zstd-compression/test.sh{,.broken}

To test the results, issue (as the root user):

pushd tests
   ./fsck-tests.sh    
   ./mkfs-tests.sh    
   ./cli-tests.sh     
   ./convert-tests.sh 
   ./misc-tests.sh    
   ./fuzz-tests.sh    
popd

Install the package as the root user:

make install &&

ln -sfv ../../lib/$(readlink /lib/libbtrfs.so) /usr/lib/libbtrfs.so &&
ln -sfv ../../lib/$(readlink /lib/libbtrfsutil.so) /usr/lib/libbtrfsutil.so &&
rm -fv /lib/libbtrfs.{a,so} /lib/libbtrfsutil.{a,so} &&
mv -v /bin/{mkfs,fsck}.btrfs /sbin

Command Explanations

--disable-documentation: This option is needed if the recommended dependencies are not installed.

mv tests/{cli,convert,misc,fuzz}-tests/ ...: Disables tests that fail and prevent tests from completing.

ln -s ... /usr/lib/libbtrfs.so: Creates a symbolic link in the directory where it is expected.

rm /lib/libbtrfs.{a,so}: Removes unneeded library entries.

Contents

Installed Programs: btrfs, btrfs-convert, btrfs-find-root, btrfs-image, btrfs-map-logical, btrfs-select-super, btrfsck (link to btrfs), btrfstune, fsck.btrfs, and mkfs.btrfs
Installed Libraries: libbtrfs.so and libbtrfsutil.so
Installed Directories: /usr/include/btrfs

Short Descriptions

btrfs

is the main interface into btrfs filesystem operations.

btrfs-convert

converts from an ext2/3/4 filesystem to btrfs.

btrfs-find-root

is a filter to find btrfs root.

btrfs-map-logical

maps btrfs logical extent to physical extent.

btrfs-select-super

overwrites the primary superblock with a backup copy.

btrfstune

tunes various filesystem parameters.

fsck.btrfs

does nothing, but is present for consistency with fstab.

mkfs.btrfs

creates a btrfs file system.

Last updated on 2020-02-18 14:50:03 -0800

dosfstools-4.1

Introduction to dosfstools

The dosfstools package contains various utilities for use with the FAT family of file systems.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/dosfstools

Kernel Configuration

Enable the following option in the kernel configuration and recompile the kernel:

File systems --->
  <DOS/FAT/NT Filesystems --->
    <*/M> MSDOS fs support             [CONFIG_MSDOS_FS]
    <*/M> VFAT (Windows-95) fs support [CONFIG_VFAT_FS]

Installation of dosfstools

Install dosfstools by running the following commands:

./configure --prefix=/               \
            --enable-compat-symlinks \
            --mandir=/usr/share/man  \
            --docdir=/usr/share/doc/dosfstools-4.1 &&
make

This package does not come with a test suite.

Now, as the root user:

make install

Command Explanations

--enable-compat-symlinks: This switch creates the dosfsck, dosfslabel, fsck.msdos, fsck.vfat, mkdosfs, mkfs.msdos, and mkfs.vfat symlinks required by some programs.

Contents

Installed Programs: fatlabel, fsck.fat, and mkfs.fat

Short Descriptions

fatlabel

set or get a MS-DOS filesystem label from a given device

fsck.fat

check and repair MS-DOS filesystems

mkfs.fat

create an MS-DOS filesystem under Linux

Last updated on 2020-02-18 14:50:03 -0800

Fuse-3.9.0

Introduction to Fuse

FUSE (Filesystem in Userspace) is a simple interface for userspace programs to export a virtual filesystem to the Linux kernel. Fuse also aims to provide a secure method for non privileged users to create and mount their own filesystem implementations.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Fuse Dependencies

Optional

Doxygen-1.8.17 (to rebuild the API documentation)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/fuse

Kernel Configuration

Enable the following options in the kernel configuration and recompile the kernel if necessary:

File systems  --->
  <*/M> FUSE (Filesystem in Userspace) support [CONFIG_FUSE_FS]

Installation of Fuse

Install Fuse by running the following commands:

sed -i '/^udev/,$ s/^/#/' util/meson.build &&

mkdir build &&
cd    build &&

meson --prefix=/usr .. &&
ninja

The API documentation is included in the package, but if you have Doxygen-1.8.17 installed and wish to rebuild it, issue:

doxygen doc/Doxyfile

This package does not come with a test suite.

Now, as the root user:

ninja install                                             &&

mv -vf   /usr/lib/libfuse3.so.3*     /lib                 &&
ln -sfvn ../../lib/libfuse3.so.3.9.0 /usr/lib/libfuse3.so &&

mv -vf /usr/bin/fusermount3  /bin         &&
mv -vf /usr/sbin/mount.fuse3 /sbin        &&
chmod u+s /bin/fusermount3                &&

install -v -m755 -d /usr/share/doc/fuse-3.9.0      &&
install -v -m644    ../doc/{README.NFS,kernel.txt} \
                    /usr/share/doc/fuse-3.9.0      &&
cp -Rv ../doc/html  /usr/share/doc/fuse-3.9.0      

Command Explanations

sed ... util/meson.build: This command disables the installation of a boot script and udev rule that are not needed.

mv ... libfuse3.so.3*; ln ... libfuse3.so: These commands install the libraries in the /lib directory.

Configuring fuse

Config Files

Some options regarding mount policy can be set in the file /etc/fuse.conf. To install the file run the following command as the root user:

cat > /etc/fuse.conf << "EOF"
# Set the maximum number of FUSE mounts allowed to non-root users.
# The default is 1000.
#
#mount_max = 1000

# Allow non-root users to specify the 'allow_other' or 'allow_root'
# mount options.
#
#user_allow_other
EOF

Additional information about the meaning of the configuration options are found in the man page.

Contents

Installed Programs: fusermount3, mount.fuse3
Installed Libraries: libfuse3.so
Installed Directory: /usr/include/fuse3 and /usr/share/doc/fuse-3.9.0

Short Descriptions

fusermount3

is a suid root program to mount and unmount Fuse filesystems.

mount.fuse3

is the command mount calls to mount a Fuse filesystem.

libfuse3.so

contains the FUSE API functions.

Last updated on 2020-02-17 13:54:09 -0800

jfsutils-1.1.15

Introduction to jfsutils

The jfsutils package contains administration and debugging tools for the jfs file system.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/jfs

Kernel Configuration

Enable the following option in the kernel configuration and recompile the kernel:

File systems  --->
  <*/M> JFS filesystem support [CONFIG_JFS_FS]

Installation of jfsutils

Install jfsutils by running the following commands:

sed -i "/unistd.h/a#include <sys/types.h>"    fscklog/extract.c &&
sed -i "/ioctl.h/a#include <sys/sysmacros.h>" libfs/devices.c   &&

./configure &&
make

This package does not come with a test suite.

Now, as the root user:

make install

Command Explanations

sed ...: Fixes building with glibc 2.28.

Contents

Installed Programs: fsck.jfs, jfs_debugfs, jfs_fsck, jfs_fscklog, jfs_logdump, jfs_mkfs, jfs_tune, mkfs.jfs
Installed Libraries: None
Installed Directories: None

Short Descriptions

fsck.jfs

is used to replay the JFS transaction log, check a JFS formatted device for errors, and fix any errors found.

jfs_fsck

is a hard link to fsck.jfs.

mkfs.jfs

constructs an JFS file system.

jfs_mkfs

is a hard link to mkfs.jfs.

jfs_debugfs

is a program which can be used to perform various low-level actions on a JFS formatted device.

jfs_fscklog

extracts a JFS fsck service log into a file and/or formats and displays the extracted file.

jfs_logdump

dumps the contents of the journal log from the specified JFS formatted device into output file ./jfslog.dmp.

jfs_tune

adjusts tunable file system parameters on JFS file systems.

Last updated on 2020-02-18 14:50:03 -0800

LVM2-2.03.08

Introduction to LVM2

The LVM2 package is a set of tools that manage logical partitions. It allows spanning of file systems across multiple physical disks and disk partitions and provides for dynamic growing or shrinking of logical partitions, mirroring and low storage footprint snapshots.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

LVM2 Dependencies

Required

libaio-0.3.112

Optional

mdadm-4.1, reiserfsprogs-3.6.27, Valgrind-3.15.0, Which-2.21, xfsprogs-5.4.0 (all five may be used, but are not required, for tests), and thin-provisioning-tools

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/lvm2

Kernel Configuration

Enable the following options in the kernel configuration and recompile the kernel:

Note

There are several other Device Mapper options in the kernel beyond those listed below. In order to get reasonable results if running the regression tests, all must be enabled either internally or as a module. The tests will all time out if Magic SysRq key is not enabled.

Device Drivers --->
  [*] Multiple devices driver support (RAID and LVM) ---> [CONFIG_MD]
    <*/M>   Device mapper support                         [CONFIG_BLK_DEV_DM]
    <*/M/ >   Crypt target support                        [CONFIG_DM_CRYPT]
    <*/M/ >   Snapshot target                             [CONFIG_DM_SNAPSHOT]
    <*/M/ >   Thin provisioning target                    [CONFIG_DM_THIN_PROVISIONING]
    <*/M/ >   Mirror target                               [CONFIG_DM_MIRROR]
Kernel hacking --->
  [*] Magic SysRq key                                     [CONFIG_MAGIC_SYSRQ]

Installation of LVM2

Install LVM2 by running the following commands:

SAVEPATH=$PATH                  &&
PATH=$PATH:/sbin:/usr/sbin      &&
./configure --prefix=/usr       \
            --exec-prefix=      \
            --enable-cmdlib     \
            --enable-pkgconfig  \
            --enable-udev_sync  &&
make                            &&
PATH=$SAVEPATH                  &&
unset SAVEPATH

The tests use udev for logical volume synchronization, so the LVM udev rules and some utilities need to be installed before running the tests. If you are installing LVM2 for the first time, and do not want to install the full package before running the tests, the minimal set of utilities can be installed by running the following instructions as the root user:

make -C tools install_tools_dynamic &&
make -C udev  install                 &&
make -C libdm install

To test the results, issue, as the root user:

make check_local

Other targets are available and can be listed with make -C test help. The test timings are very dependent on the speed of the disk(s), and on the number of enabled kernel options.

The tests do not implement the expected fail possibility, and a small number of test failures is expected by upstream. More failures may happen because some kernel options are missing. For example, the lack of the dm-delay device mapper target may explain some failures. Some tests are flagged warned if thin-provisioning-tools are not installed. A workaround is to add the following flags to configure:

     --with-thin-check=    \
     --with-thin-dump=     \
     --with-thin-repair=   \
     --with-thin-restore=  \
     --with-cache-check=   \
     --with-cache-dump=    \
     --with-cache-repair=  \
     --with-cache-restore= \

Some tests may hang. They can be removed if necessary, for example: rm test/shell/lvconvert-raid-reshape.sh. The tests generate a lot of kernel messages, which may clutter your terminal. You can disable them by issuing dmesg -D before running the tests (do not forget to issue dmesg -E when tests are done).

Note

The checks create device nodes in the /tmp directory. The tests will fail if /tmp is mounted with the nodev option.

Now, as the root user:

make install

Command Explanations

PATH=$PATH:/sbin:/usr/sbin: The path must contain /sbin and /usr/sbin for proper system tool detection by the configure script. This instruction ensures that PATH is properly set even if you build as an unprivileged user.

--enable-cmdlib: This switch enables building of the shared command library. It is required when building the event daemon.

--enable-pkgconfig: This switch enables installation of pkg-config support files.

--enable-udev_sync: This switch enables synchronisation with Udev processing.

--enable-dmeventd: This switch enables building of the Device Mapper event daemon.

Contents

Installed Programs: blkdeactivate, dmeventd (optional), dmsetup, fsadm, lvm, and lvmdump. There are also numerous symbolic links to lvm that implement specific functionalities
Installed Libraries: libdevmapper.so and liblvm2cmd.so; optional: libdevmapper-event.so, libdevmapper-event-lvm2.so, libdevmapper-event-lvm2mirror.so, libdevmapper-event-lvm2snapshot.so, libdevmapper-event-lvm2raid.so, and libdevmapper-event-lvm2thin.so
Installed Directories: /etc/lvm and /lib/device-mapper (optional)

Short Descriptions

blkdeactivate

is a utility to deactivate block devices.

dmeventd

(optional) is the Device Mapper event daemon.

dmsetup

is a low level logical volume management tool.

fsadm

is a utility used to resize or check filesystem on a device.

lvm

provides the command-line tools for LVM2. Commands are implemented via sympolic links to this program to manage physical devices (pv*), volume groups (vg*) and logical volumes (lv*).

lvmdump

is a tool used to dump various information concerning LVM2.

vgimportclone

is used to import a duplicated VG (e.g. hardware snapshot).

libdevmapper.so

contains the Device Mapper API functions.

Last updated on 2020-02-18 14:50:03 -0800

About Logical Volume Management (LVM)

LVM manages disk drives. It allows multiple drives and partitions to be combined into larger volume groups, assists in making backups through a snapshot, and allows for dynamic volume resizing. It can also provide mirroring similar to a RAID 1 array.

A complete discussion of LVM is beyond the scope of this introduction, but basic concepts are presented below.

To run any of the commands presented here, the LVM2-2.03.08 package must be installed. All commands must be run as the root user.

Management of disks with lvm is accomplished using the following concepts:

physical volumes

These are physical disks or partitions such as /dev/sda3 or /dev/sdb.

volume groups

These are named groups of physical volumes that can be manipulated by the administrator. The number of physical volumes that make up a volume group is arbitrary. Physical volumes can be dynamically added or removed from a volume group.

logical volumes

Volume groups may be subdivided into logical volumes. Each logical volume can then be individually formatted as if it were a regular Linux partition. Logical volumes may be dynamically resized by the administrator according to need.

To give a concrete example, suppose that you have two 2 TB disks. Also suppose a really large amount of space is required for a very large database, mounted on /srv/mysql. This is what the initial set of partitions would look like:

Partition  Use    Size      Partition Type
/dev/sda1  /boot  100MB     83 (Linux)
/dev/sda2  /       10GB     83 (Linux)
/dev/sda3  swap     2GB     82 (Swap)
/dev/sda4  LVM    remainder 8e (LVM)
/dev/sdb1  swap     2GB     82 (Swap)
/dev/sdb2  LVM    remainder 8e (LVM)

First initialize the physical volumes:

pvcreate /dev/sda4 /dev/sdb2

Note

A full disk can be used as part of a physical volume, but beware that the pvcreate command will destroy any partition information on that disk.

Next create a volume group named lfs-lvm:

vgcreate lfs-lvm /dev/sda4  /dev/sdb2

The status of the volume group can be checked by running the command vgscan. Now create the logical volumes. Since there is about 3900 GB available, leave about 900 GB free for expansion. Note that the logical volume named mysql is larger than any physical disk.

lvcreate --name mysql --size 2500G lfs-lvm
lvcreate --name home  --size  500G lfs-lvm

Finally the logical volumes can be formatted and mounted. In this example, the jfs file system (jfsutils-1.1.15) is used for demonstration purposes.

mkfs -t ext4 /dev/lfs-lvm/home
mkfs -t jfs  /dev/lfs-lvm/mysql
mount /dev/lfs-lvm/home /home
mkdir -p /srv/mysql
mount /dev/lfs-lvm/mysql /srv/mysql

The LFS boot scripts automatically make these file systems available to the system in the checkfs script. Edit the /etc/fstab file as required to automatically mount them.

A LVM logical volume can host a root filesystem, but requires the use of an initramfs (initial RAM file system) and is not discussed here.

For a more information about LVM, see the LVM HOWTO and the lvm man pages.

Last updated on 2019-11-10 01:43:02 -0800

About RAID

The storage technology known as RAID (Redundant Array of Independent Disks) combines multiple physical disks into a logical unit. The drives can generally be combined to provide data redundancy or to extend the size of logical units beyond the capability of the physical disks or both. The technology also allows for providing hardware maintenance without powering down the system.

The types of RAID organization are described in the RAID Wiki.

Note that while RAID provides protection against disk failures, it is not a substitute for backups. A file deleted is still deleted on all the disks of a RAID array. Modern backups are generally done via rsync-3.1.3.

There are three major types of RAID implementation: Hardware RAID, BIOS-based RAID, and Software RAID.

Hardware RAID

Hardware based RAID provides capability through proprietary hardware and data layouts. The control and configuration is generally done via firmware in conjunction with executable programs made available by the device manufacturer. The capabilities are generally supplied via a PCI card, although there are some instances of RAID components integrated in to the motherboard. Hardware RAID may also be available in a stand-alone enclosure.

One advantage of hardware-based RAID is that the drives are offered to the operating system as a logical drive and no operating system dependent configuration is needed.

Disadvantages include difficulties in transferring drives from one system to another, updating firmware, or replacing failed RAID hardware.

BIOS-based RAID

Some computers offter a hardware-like RAID implementation in the system BIOS. Sometime this is referred to as 'fake' RAID as the capabilites are generally incorporated into firmware without any hardware acceleration.

The advantages and disadvantages of BIOS-based RAID are generally the same as hardware RAID with the additional disadvantage that there is no hardware acceleration.

In some cases, BIOS-based RAID firmware is enabled by default (e.g. some DELL systems). If software RAID is desired, this option must be explicitly disabled in the BIOS.

Software RAID

Software based RAID is the most flexible form of RAID. It is easy to install and update and provides full capability on all or part of any drives available to the system. In BLFS, the RAID software is found in mdadm-4.1.

Configuring a RAID device is straight forward using mdadm. Generally devices are created in the /dev directory as /dev/mdx where x is an integer.

The first step in creating a RAID array is to use partitioning software such as fdisk or parted-3.3 to define the partitions needed for the array. Usually, there will be one partition on each drive participating in the RAID array, but that is not strictly necessary. For this example, there will be four disk drives: /dev/sda, /dev/sdb, /dev/sdc, and /dev/sdd. They will be partitioned as follows:

Partition Size     Type                Use
sda1:     100 MB   fd Linux raid auto  /boot    (RAID 1) /dev/md0
sda2:      10 GB   fd Linux raid auto  /        (RAID 1) /dev/md1
sda3:       2 GB   83 Linux swap       swap
sda4      300 GB   fd Linux raid auto  /home    (RAID 5) /dev/md2

sdb1:     100 MB   fd Linux raid auto  /boot    (RAID 1) /dev/md0
sdb2:      10 GB   fd Linux raid auto  /        (RAID 1) /dev/md1
sdb3:       2 GB   83 Linux swap       swap
sdb4      300 GB   fd Linux raid auto  /home    (RAID 5) /dev/md2

sdc1:      12 GB   fd Linux raid auto  /usr/src (RAID 0) /dev/md3
sdc2:     300 GB   fd Linux raid auto  /home    (RAID 5) /dev/md2

sdd1:      12 GB   fd Linux raid auto  /usr/src (RAID 0) /dev/md3
sdd2:     300 GB   fd Linux raid auto  /home    (RAID 5) /dev/md2 

Is this arrangement, a separate boot partition is created as the first small RAID array and a root filesystem as the secong RAID array, both mirrored. The third partition is a large (about 1TB) array for the /home directory. This provides an ability to stripe data across multiple devices, improving speed for botih reading and writing large files. Finally, a fourth array is created that concatenates two partitions into a larger device.

Note

All mdadm commands must be run as the root user.

To create these RAID arrays the commands are:

/sbin/mdadm -Cv /dev/md0 --level=1 --raid-devices=2 /dev/sda1 /dev/sdb1
/sbin/mdadm -Cv /dev/md1 --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2
/sbin/mdadm -Cv /dev/md3 --level=0 --raid-devices=2 /dev/sdc1 /dev/sdd1
/sbin/mdadm -Cv /dev/md2 --level=5 --raid-devices=4 \
        /dev/sda4 /dev/sdb4 /dev/sdc2 /dev/sdd2 

The devices created can be examined by device. For example, to see the details of /dev/md1, use /sbin/mdadm --detail /dev/md1:

        Version : 1.2
  Creation Time : Tue Feb  7 17:08:45 2012
     Raid Level : raid1
     Array Size : 10484664 (10.00 GiB 10.74 GB)
  Used Dev Size : 10484664 (10.00 GiB 10.74 GB)
   Raid Devices : 2
  Total Devices : 2
    Persistence : Superblock is persistent

    Update Time : Tue Feb  7 23:11:53 2012
          State : clean
 Active Devices : 2
Working Devices : 2
 Failed Devices : 0
  Spare Devices : 0

           Name : core2-blfs:0  (local to host core2-blfs)
           UUID : fcb944a4:9054aeb2:d987d8fe:a89121f8
         Events : 17

    Number   Major   Minor   RaidDevice State
       0       8        1        0      active sync   /dev/sda1
       1       8       17        1      active sync   /dev/sdb1

From this point, the partitions can be formated with the filesystem of choice (e.g. ext3, ext4, xfsprogs-5.4.0, reiserfsprogs-3.6.27, etc). The formatted partitions can then be mounted. The /etc/fstab file can use the devices created for mounting at boot time and the linux command line in /boot/grub/grub.cfg can specify root=/dev/md1.

Note

The swap devices should be specified in the /etc/fstab file as normal. The kernel normally stripes swap data across multiple swap files and should not be made part of a RAID array.

For further options and management details of RAID devices, refer to man mdadm.

Additional details for monitoring RAID arrays and dealing with problems can be found at the Linux RAID Wiki.

Last updated on 2016-01-30 14:15:21 -0800

mdadm-4.1

Introduction to mdadm

The mdadm package contains administration tools for software RAID.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

mdadm Dependencies

Optional

A MTA

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/mdadm

Caution

Kernel versions in series 4.1 through 4.4.1 have a broken RAID implementation. Use a kernel with version at or above 4.4.2.

Kernel Configuration

Enable the following options in the kernel configuration and recompile the kernel, if necessary. Only the RAID types desired are required.

Device Drivers --->
  [*] Multiple devices driver support (RAID and LVM) ---> [CONFIG_MD]
    <*> RAID support                                      [CONFIG_BLK_DEV_MD]
    [*]   Autodetect RAID arrays during kernel boot       [CONFIG_MD_AUTODETECT]
    <*/M>  Linear (append) mode                           [CONFIG_MD_LINEAR]
    <*/M>  RAID-0 (striping) mode                         [CONFIG_MD_RAID0]
    <*/M>  RAID-1 (mirroring) mode                        [CONFIG_MD_RAID1]
    <*/M>  RAID-10 (mirrored striping) mode               [CONFIG_MD_RAID10]
    <*/M>  RAID-4/RAID-5/RAID-6 mode                      [CONFIG_MD_RAID456]

Installation of mdadm

Fix a build error introduced by gcc-7.1:

sed 's@-Werror@@' -i Makefile

Build mdadm by running the following command:

make

If you wish to run the tests, ensure that your kernel supports RAID and that a version of mdadm is not already running. As many as 9 out of 124 tests may fail.

Caution

The tests edit values in /proc and run tests on software raid devices. They shouldn't be run on systems with active software RAID devices.

Run the tests as the root user:

./test --keep-going --logdir=test-logs --save-logs

Now, as the root user:

make install

Command Explanations

make everything: This optional target creates extra programs, particularly a statically-linked version of mdadm and also versions of mdassemble. These all need to be manually installed.

--keep-going: Run the tests to the end, even if one or more tests fail.

--logdir=test-logs: Defines the directory where test logs are saved.

--save-logs: Instructs the test suite to save the logs.

--tests=<test1,test2,...>: Optional comma separated list of tests to be executed (all tests, if this option is not passed).

Contents

Installed Programs: mdadm, mdmon and optionally mdassemble
Installed Libraries: None
Installed Directory: None

Short Descriptions

mdadm

manages MD devices aka Linux Software RAID.

mdmon

monitors MD external metadata arrays.

mdassemble

is a tiny program that can be used to assemble MD devices inside an initial ramdisk (initrd) or initramfs.

Last updated on 2020-02-18 14:50:03 -0800

ntfs-3g-2017.3.23

Introduction to Ntfs-3g

The Ntfs-3g package contains a stable, read-write open source driver for NTFS partitions. NTFS partitions are used by most Microsoft operating systems. Ntfs-3g allows you to mount NTFS partitions in read-write mode from your Linux system. It uses the FUSE kernel module to be able to implement NTFS support in user space. The package also contains various utilities useful for manipulating NTFS partitions.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Ntfs-3g Dependencies

Optional

fuse 2.x (this disables user mounts)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/ntfs-3g

Kernel Configuration

Enable the following options in the kernel configuration and recompile the kernel if necessary:

File systems  --->
  <*/M> FUSE (Filesystem in Userspace) support [CONFIG_FUSE_FS]

Installation of Ntfs-3g

Install Ntfs-3g by running the following commands:

./configure --prefix=/usr        \
            --disable-static     \
            --with-fuse=internal &&
make

This package does not come with a test suite.

Now, as the root user:

make install &&
ln -sv ../bin/ntfs-3g /sbin/mount.ntfs &&
ln -sv ntfs-3g.8 /usr/share/man/man8/mount.ntfs.8

If you want ordinary users to be able to mount NTFS partitions you'll need to set mount.ntfs with the root user ID. Note: it is probably unsafe to do this on a computer that needs to be secure (like a server). As the root user:

chmod -v 4755 /bin/ntfs-3g

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

--with-fuse=internal: This switch dynamically forces ntfs-3g to use an internal copy of the fuse-2.x library. This is required if you wish to allow users to mount NTFS partitions.

--disable-ntfsprogs: Disables installation of various utilities used to manipulate NTFS partitions.

ln -sv ../bin/ntfs-3g /sbin/mount.ntfs: Creating /sbin/mount.ntfs makes mount default to using Ntfs-3g to mount NTFS partitions.

chmod -v 4755 /bin/ntfs-3g: Making mount.ntfs setuid root allows non root users to mount NTFS partitions.

Using Ntfs-3g

To mount a Windows partition at boot time, put a line like this in /etc/fstab:

/dev/sda1 /mnt/windows auto defaults 0 0

To allow users to mount a usb stick with an NTFS filesystem on it, put a line similar to this (change sdc1 to whatever a usb stick would be on your system) in /etc/fstab:

/dev/sdc1 /mnt/usb auto user,noauto,umask=0,utf8 0 0

In order for a user to be able to mount the usb stick, they will need to be able to write to /mnt/usb, so as the root user:

chmod -v 777 /mnt/usb

Contents

Installed Programs: lowntfs-3g, mkfs.ntfs, mkntfs, mount.lowntfs-3g, mount.ntfs, mount.ntfs-3g, ntfs-3g, ntfs-3g.probe, ntfs-3g.secaudit, ntfs-3g.usermap, ntfscat, ntfsclone, ntfscluster, ntfscmp, ntfscp, ntfsfix, ntfsinfo, ntfslabel, ntfsls, ntfsresize and ntfsundelete
Installed Library: libntfs-3g.so
Installed Directories: /usr/include/ntfs-3g and /usr/share/doc/ntfs-3g

Short Descriptions

lowntfs-3g

is similar to ntfs-3g but uses the Fuse low-level interface.

mkfs.ntfs

is a symlink to mkntfs.

mkntfs

creates an NTFS file system.

mount.lowntfs-3g

is a symlink to lowntfs-3g.

mount.ntfs

mounts an NTFS filesystem.

mount.ntfs-3g

is a symbolic link to ntfs-3g.

ntfs-3g

is an NTFS driver, which can create, remove, rename, move files, directories, hard links, and streams. It can also read and write files, including streams, sparse files and transparently compressed files. It can also handle special files like symbolic links, devices, and FIFOs; moreover it provides standard management of file ownership and permissions, including POSIX ACLs.

ntfs-3g.probe

tests if an NTFS volume is mountable read only or read-write, and exits with a status value accordingly. The volume can be a block device or image file.

ntfs-3g.secaudit

audits NTFS Security Data.

ntfs-3g.usermap

creates the file defining the mapping of Windows accounts to Linux logins for users who owns files which should be visible from both Windows and Linux.

ntfscluster

identifies files in a specified region of an NTFS volume

ntfscp

copies a file to an NTFS volume.

ntfsfix

fixes common errors and forces Windows to check an NTFS partition.

ntfsls

lists directory contents on an NTFS filesystem.

ntfscat

prints NTFS files and streams on the standard output.

ntfsclone

clones an NTFS filesystem.

ntfscmp

compares two NTFS filesystems and tells the differences.

ntfsinfo

dumps a file's attributes.

ntfslabel

displays or changes the label on an ntfs file system.

ntfsresize

resizes an NTFS filesystem without data loss.

ntfsundelete

recovers a deleted file from an NTFS volume.

libntfs-3g.so

contains the Ntfs-3g API functions.

Last updated on 2020-02-17 13:54:09 -0800

gptfdisk-1.0.5

Introduction to gptfdisk

The gptfdisk package is a set of programs for creation and maintenance of GUID Partition Table (GPT) disk drives. A GPT partitioned disk is required for drives greater than 2 TB and is a modern replacement for legacy PC-BIOS partitioned disk drives that use a Master Boot Record (MBR). The main program, gdisk, has an inteface similar to the classic fdisk program.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Additional Downloads

gptfdisk Dependencies

Required

popt-1.16

Optional

ICU-65.1

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gptdisk

Installation of gptfdisk

The gptfdisk package comes with a rudimentary Makefile. First we update it to provide a simple build and install interface and fix the location of a header file. Install gptfdisk by running the following commands:

patch -Np1 -i ../gptfdisk-1.0.5-convenience-1.patch &&
sed -i 's|ncursesw/||' gptcurses.cc &&

make

To test the results, issue: make test.

Now, as the root user:

make install

Command Explanations

patch -Np1 ...: This patch modifies the Makefile file so that it provides an install target.

Contents

Installed Programs: cgdisk, gdisk, fixparts, and sgdisk

Short Descriptions

cgdisk

is an ncurses-based tool for manipulating GPT partitions.

gdisk

is an interactive text-mode tool for manipulating GPT partitions.

fixparts

repairs mis-formatted MBR based disk partitions.

sgdisk

is a partition manipulation program for GPT partitions similar to sfdisk.

Last updated on 2020-02-19 08:47:37 -0800

parted-3.3

Introduction to parted

The Parted package is a disk partitioning and partition resizing tool.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Parted Dependencies

Recommended
Optional

dosfstools-4.1, Pth-2.0.7, texlive-20190410 (or install-tl-unx), and Digest::CRC (for tests)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/parted

Installation of parted

Install Parted by running the following commands:

./configure --prefix=/usr --disable-static &&
make &&

make -C doc html                                       &&
makeinfo --html      -o doc/html       doc/parted.texi &&
makeinfo --plaintext -o doc/parted.txt doc/parted.texi

If you have texlive-20190410 installed and wish to create PDF and Postcript documentation issue the following commands:

texi2pdf             -o doc/parted.pdf doc/parted.texi &&
texi2dvi             -o doc/parted.dvi doc/parted.texi &&
dvips                -o doc/parted.ps  doc/parted.dvi

If you wish to run the test suite, first remove a couple of tests that are known to fail in a BLFS environment:

sed -i '/t0251-gpt-unicode.sh/d' tests/Makefile &&
sed -i '/t6002-dm-busy.sh/d' tests/Makefile

To test the results, issue, as the root user:

make check

Note

Many tests are skipped if not run as the root user.

Now, as the root user:

make install &&
install -v -m755 -d /usr/share/doc/parted-3.3/html &&
install -v -m644    doc/html/* \
                    /usr/share/doc/parted-3.3/html &&
install -v -m644    doc/{FAT,API,parted.{txt,html}} \
                    /usr/share/doc/parted-3.3

Install the optional PDF and Postscript documentation by issuing the following command as the root user:

install -v -m644 doc/FAT doc/API doc/parted.{pdf,ps,dvi} \
                    /usr/share/doc/parted-3.3

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

--disable-device-mapper: This option disables device mapper support. Add this parameter if you have not installed LVM2.

Contents

Installed Programs: parted and partprobe
Installed Libraries: libparted.so and libparted-fs-resize.so
Installed Directories: /usr/include/parted and /usr/share/doc/parted-3.3

Short Descriptions

parted

is a partition manipulation program.

partprobe

informs the OS of partition table changes.

libparted.so

contains the Parted API functions.

Last updated on 2020-02-18 14:50:03 -0800

reiserfsprogs-3.6.27

Introduction to reiserfsprogs

The reiserfsprogs package contains various utilities for use with the Reiser file system.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/reiser

Kernel Configuration

Enable the following option in the kernel configuration and recompile the kernel:

File systems --->
  <*/M> Reiserfs support [CONFIG_REISERFS_FS]

Installation of reiserfsprogs

Install reiserfsprogs by running the following commands:

sed -i '/parse_time.h/i #define _GNU_SOURCE' lib/parse_time.c &&
autoreconf -fiv             &&
./configure --prefix=/usr   \
            --sbindir=/sbin &&

make

This package does not come with a test suite.

Now, as the root user:

make install

Command Explanations

sed ...: Ensure a variable is defined for use with recent include files.

--sbindir=/sbin: This switch ensures that the reiserfsprogs utilities are installed in /sbin.

Contents

Installed Programs: debugreiserfs, mkreiserfs, reiserfsck, reiserfstune, and resize_reiserfs
Installed Library: libreiserfscore.so
Installed Directory: /usr/include/reiserfs

Short Descriptions

debugreiserfs

can sometimes help to solve problems with ReiserFS file systems. If it is called without options, it prints the super block of any ReiserFS file system found on the device.

mkreiserfs

creates a ReiserFS file system.

reiserfsck

is used to check or repair a ReiserFS file system.

reiserfstune

is used for tuning the ReiserFS journal. WARNING: Don't use this utility without first reading the man page thoroughly.

resize_reiserfs

is used to resize an unmounted ReiserFS file system.

Last updated on 2020-02-18 14:50:03 -0800

smartmontools-7.1

Introduction to smartmontools

The smartmontools package contains utility programs (smartctl, smartd) to control/monitor storage systems using the Self-Monitoring, Analysis and Reporting Technology System (S.M.A.R.T.) built into most modern ATA and SCSI disks.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

smartmontools Dependencies

Optional (runtime)

cURL-7.68.0 or Lynx-2.8.9rel.1 or Wget-1.20.3 (download tools), and GnuPG-2.2.19 (encrypted hard disks)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/smartmontools

Installation of smartmontools

Install smartmontools by running the following commands:

./configure --prefix=/usr           \
            --sysconfdir=/etc       \
            --with-initscriptdir=no \
            --with-libsystemd=no    \
            --docdir=/usr/share/doc/smartmontools-7.1 &&
make

This package does not come with a test suite.

Now, as the root user:

make install

Configuring smartmontools

Config File

/etc/smartd.conf

Configuration Information

See the embedded comments in /etc/smartd.conf for detailed instructions on customizing the smartd darmon.

Boot Script

If you want the smartd daemon to start automatically when the system is booted, install the /etc/rc.d/init.d/smartd init script included in the blfs-bootscripts-20191204 package.

make install-smartd

Command Explanations

--with-initscriptdir=no: This switch suppresses the default initialization script. See above for the BLFS script.

Contents

Installed Programs: smartctl, smartd, and update-smart-drivedb
Installed Libraries: None
Installed Directories: /usr/share/smartmontools, /usr/share/doc/smartmontools-6.4, and /etc/smartd_warning.d

Short Descriptions

smartctl

is the control and monitor utility for SMART Disks.

smartd

is the SMART disk monitoring daemon.

update-smart-drivedb

is the update tool for the smartmontools drive database.

Last updated on 2020-02-16 15:50:16 -0800

sshfs-3.7.0

Introduction to Sshfs

The Sshfs package contains a filesystem client based on the SSH File Transfer Protocol. This is useful for mounting a remote computer that you have ssh access to as a local filesystem. This allows you to drag and drop files or run shell commands on the remote files as if they were on your local computer.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Sshfs Dependencies

Required

Fuse-3.9.0, GLib-2.62.4, and OpenSSH-8.2p1.

Optional

docutils-0.16 (required to build the man page)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/sshfs

Installation of Sshfs

Install Sshfs by running the following commands:

mkdir build &&
cd    build &&
          
meson --prefix=/usr .. &&
ninja

This package does not come with a test suite.

Now, as the root user:

ninja install

Using Sshfs

To mount an ssh server you need to be able to log into the server. For example, to mount your remote home folder to the local ~/examplepath (the directory must exist and you must have permissions to write to it):

sshfs example.com:/home/userid ~/examplepath

When you've finished work and want to unmount it again:

fusermount3 -u ~/example

You can also mount an sshfs filesystem at boot by adding an entry similar to the following in the /etc/fstab file:

[email protected]:/path /media/path fuse.sshfs _netdev,IdentityFile=/home/userid/.ssh/id_rsa 0 0

See man 1 sshfs and man 8 mount.fuse for all available mount options.

Contents

Installed Program: sshfs
Installed Libraries: None
Installed Directories: None

Short Descriptions

sshfs

mounts an ssh server as a local file system.

Last updated on 2020-02-17 13:54:09 -0800

xfsprogs-5.4.0

Introduction to xfsprogs

The xfsprogs package contains administration and debugging tools for the XFS file system.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/xfs

Kernel Configuration

Enable the following options in the kernel configuration and recompile the kernel:

File systems --->
  <*/M> XFS filesystem support [CONFIG_XFS_FS]

Installation of xfsprogs

Install xfsprogs by running the following commands:

make DEBUG=-DNDEBUG     \
     INSTALL_USER=root  \
     INSTALL_GROUP=root \
     LOCAL_CONFIGURE_OPTIONS="--enable-readline"

This package does not come with a test suite.

Now, as the root user:

make PKG_DOC_DIR=/usr/share/doc/xfsprogs-5.4.0 install     &&
make PKG_DOC_DIR=/usr/share/doc/xfsprogs-5.4.0 install-dev &&

rm -rfv /usr/lib/libhandle.a                                &&
rm -rfv /lib/libhandle.{a,la,so}                            &&
ln -sfv ../../lib/libhandle.so.1 /usr/lib/libhandle.so      &&
sed -i "s@libdir='/lib@libdir='/usr/lib@" /usr/lib/libhandle.la

Command Explanations

make DEBUG=-DNDEBUG: Turns off debugging symbols.

INSTALL_USER=root INSTALL_GROUP=root: This sets the owner and group of the installed files.

LOCAL_CONFIGURE_OPTIONS="...": This passes extra configuration options to the configure script. The example --enable-readline parameter enables linking the XFS programs with the libreadline.so library, in order to allow editing interactive commands.

OPTIMIZER="...": Adding this parameter to the end of the make command overrides the default optimization settings.

Contents

Installed Programs: fsck.xfs, mkfs.xfs, xfs_admin, xfs_bmap, xfs_copy, xfs_db, xfs_estimate, xfs_freeze, xfs_fsr, xfs_growfs, xfs_info, xfs_io, xfs_logprint, xfs_mdrestore, xfs_metadump, xfs_mkfile, xfs_ncheck, xfs_quota, xfs_repair, xfs_rtcp, and xfs_spaceman
Installed Libraries: libhandle.so
Installed Directories: /usr/include/xfs and /usr/share/doc/xfsprogs-5.4.0

Short Descriptions

fsck.xfs

simply exits with a zero status, since XFS partitions are checked at mount time.

mkfs.xfs

constructs an XFS file system.

xfs_admin

changes the parameters of an XFS file system.

xfs_bmap

prints block mapping for an XFS file.

xfs_copy

copies the contents of an XFS file system to one or more targets in parallel.

xfs_estimate

for each directory argument, estimates the space that directory would take if it were copied to an XFS filesystem (does not cross mount points).

xfs_db

is used to debug an XFS file system.

xfs_freeze

suspends access to an XFS file system.

xfs_fsr

applicable only to XFS filesystems, improves the organization of mounted filesystems, the reorganization algorithm operates on one file at a time, compacting or othewise improving the layout of the file extents (contiguous blocks of file data).

xfs_growfs

expands an XFS file system.

xfs_info

is equivalent to invoking xfs_growfs, but specifying that no change to the file system is to be made.

xfs_io

is a debugging tool like xfs_db, but is aimed at examining the regular file I/O path rather than the raw XFS volume itself.

xfs_logprint

prints the log of an XFS file system.

xfs_mdrestore

restores an XFS metadump image to a filesystem image.

xfs_metadump

copies XFS filesystem metadata to a file.

xfs_mkfile

creates an XFS file, padded with zeroes by default.

xfs_ncheck

generates pathnames from inode numbers for an XFS file system.

xfs_quota

is a utility for reporting and editing various aspects of filesystem quota.

xfs_repair

repairs corrupt or damaged XFS file systems.

xfs_rtcp

copies a file to the real-time partition on an XFS file system.

xfs_spaceman

reports and controls free space usage in an XFS file system.

libhandle.so

contains XFS-specific functions that provide a way to perform certain filesystem operations without using a file descriptor to access filesystem objects.

Last updated on 2020-02-18 14:50:03 -0800

Chapter 6. Editors

This chapter is referenced in the LFS book for those wishing to use other editors on their LFS system. You're also shown how some LFS installed programs benefit from being recompiled after GUI libraries have been installed.

Bluefish-2.2.11

Introduction to Bluefish

Bluefish is a GTK+ text editor targeted towards programmers and web designers, with many options to write websites, scripts and programming code. Bluefish supports many programming and markup languages, and it focuses on editing dynamic and interactive websites.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Bluefish Dependencies

Required

GTK+-2.24.32 or GTK+-3.24.13 (If both are installed, configure defaults to using GTK+ 3)

Recommended
Optional

enchant-2.2.7 (for spell checking), Gucharmap-12.0.1, PCRE-8.44 and Jing

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/bluefish

Installation of Bluefish

Install Bluefish by running the following commands:

./configure --prefix=/usr --docdir=/usr/share/doc/bluefish-2.2.11 &&
make

This package does not come with a test suite.

Now, as the root user:

make install

Note

This package installs icon files into the /usr/share/icons/hicolor hierarchy and desktop files into the /usr/share/applications hierarchy. You can improve system performance and memory usage by updating /usr/share/icons/hicolor/icon-theme.cache and /usr/share/applications/mimeinfo.cache. To perform the update you must have desktop-file-utils-0.24 (for the desktop cache) and issue the following commands as the root user:

gtk-update-icon-cache -t -f --include-image-data /usr/share/icons/hicolor &&
update-desktop-database

Contents

Installed Program: bluefish
Installed Libraries: several under /usr/lib/bluefish/
Installed Directories: /usr/lib/bluefish, /usr/share/bluefish, /usr/share/doc/bluefish-2.2.11, and /usr/share/xml/bluefish

Short Descriptions

bluefish

is a GTK+ text editor for markup and programming.

Last updated on 2020-02-20 06:05:58 -0800

Ed-1.15

Introduction to Ed

Ed is a line-oriented text editor. It is used to create, display, modify and otherwise manipulate text files, both interactively and via shell scripts. Ed isn't something which many people use. It's described here because it can be used by the patch program if you encounter an ed-based patch file. This happens rarely because diff-based patches are preferred these days.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Ed Dependencies

Required to uncompress the tarball

libarchive-3.4.2 (for bsdtar)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/ed

Installation of Ed

Install Ed by running the following commands:

./configure --prefix=/usr --bindir=/bin &&
make

To test the results, issue: make check.

Now, as the root user:

make install

Contents

Installed Programs: ed and red
Installed Libraries: None
Installed Directories: None

Short Descriptions

ed

is a line-oriented text editor.

red

is a restricted ed—it can only edit files in the current directory and cannot execute shell commands.

Last updated on 2020-02-20 06:05:58 -0800

Emacs-26.3

Introduction to Emacs

The Emacs package contains an extensible, customizable, self-documenting real-time display editor.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Emacs Dependencies

Recommended
Optional

X Window System, alsa-lib-1.2.1.2, dbus-1.12.16, GConf-3.2.6, gobject-introspection-1.62.0, gsettings-desktop-schemas-3.34.0, GPM-1.20.7, GTK+-2.24.32 or GTK+-3.24.13, ImageMagick-6.9.10-93 libraries (see command explanations), libjpeg-turbo-2.0.4, libpng-1.6.37, librsvg-2.46.4, libxml2-2.9.10, MIT Kerberos V5-1.18, Valgrind-3.15.0, intlfonts, libungif, libotf and m17n-lib - to correctly display such complex scripts as Indic and Khmer, and also for scripts that require Arabic shaping support (Arabic and Farsi), and libXaw3d

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/emacs

Installation of Emacs

Install Emacs by running the following commands:

./configure --prefix=/usr --localstatedir=/var &&
make

This package does not come with a test suite. If make succeeds, you can test the result by running src/emacs -Q, which is the program that will be installed, with its auxiliary files. This should start and display the application opening screen.

Now, as the root user:

make install &&
chown -v -R root:root /usr/share/emacs/26.3 &&
rm -vf /usr/lib/systemd/user/emacs.service

Note

This package installs icon files into the /usr/share/icons/hicolor hierarchy and you can improve system performance and memory usage by updating /usr/share/icons/hicolor/index.theme. To perform the update you must have GTK+-2.24.32 or GTK+-3.24.13 installed and issue the following command as the root user:

gtk-update-icon-cache -qtf /usr/share/icons/hicolor

Command Explanations

--localstatedir=/var: Create game score files in /var/games/emacs instead of /usr/var/games/emacs.

IMAGEMAGICK_CFLAGS=-I/usr/include/ImageMagick-6 IMAGEMAGICK_LIBS="-lMagickCore-6.Q16HDRI -lMagick++-6.Q16HDRI -lMagickWand-6.Q16HDRI" : use these when you invoke configure if you have installed ImageMagick-6.9.10-93 libraries and wish to link to them (the normal unversioned pkgconfig files collide with ImageMagick-7.0.9-23 which this package cannot use).

--with-gif=no: Use this if you have not installed giflib-5.2.1 or libungif.

--with-tiff=no: Use this if you have not installed LibTIFF-4.1.0.

--with-gnutls=no: Use this if you have not installed GnuTLS-3.6.12.

Contents

Installed Programs: ctags, ebrowse, emacs (symlink), emacs-26.3, emacsclient, etags, and grep-changelog
Installed Libraries: None
Installed Directories: /usr/libexec/emacs, /usr/share/emacs, and /var/games/emacs

Short Descriptions

ctags

creates cross-reference tagfile database files for source code.

ebrowse

permits browsing of C++ class hierarchies from within emacs.

emacs

is an editor.

emacsclient

attaches an emacs session to an already running emacsserver instance.

etags

is another program to generate source code cross-reference tagfiles.

grep-changelog

prints entries in Change Logs matching various criteria.

Last updated on 2020-02-17 12:12:55 -0800

Gedit-3.34.1

Introduction to Gedit

The Gedit package contains a lightweight UTF-8 text editor for the GNOME Desktop.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Gedit Dependencies

Required

git-2.25.0, gsettings-desktop-schemas-3.34.0, gspell-1.8.3, gtksourceview4-4.4.0, itstool-2.0.6, and libpeas-1.24.1

Recommended
Optional

GTK-Doc-1.32, Vala-0.46.6, and zeitgeist

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gedit

Installation of Gedit

Install Gedit by running the following commands:

mkdir build &&
cd    build &&

meson --prefix=/usr -Dbuildtype=release .. &&
ninja

To test the results, issue: ninja test.

Now, as the root user:

ninja install

Note

If you installed the package to your system using a DESTDIR method, /usr/share/glib-2.0/schemas/gschemas.compiled was not updated/created. Create (or update) the file using the following command as the root user:

glib-compile-schemas /usr/share/glib-2.0/schemas

Command Explanations

-Ddocumentation=true: Use this option to build the reference manual (needs GTK-Doc-1.32).

Contents

Installed Program: gedit
Installed Libraries: libgedit.so
Installed Directories: /usr/include/gedit-3.14 and /usr/{lib,libexec,share,share/gtk-doc/html,share/help/*}/gedit

Short Descriptions

gedit

is a lightweight text editor integrated with the GNOME Desktop.

Last updated on 2020-02-20 06:05:58 -0800

JOE-4.6

Introduction to JOE

JOE (Joe's own editor) is a small text editor capable of emulating WordStar, Pico, and Emacs.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/joe

Installation of JOE

Install JOE by running the following commands:

./configure --prefix=/usr     \
            --sysconfdir=/etc \
            --docdir=/usr/share/doc/joe-4.6 &&
make

This package does not come with a test suite.

Now, as the root user:

make install &&

install -vm 755 joe/util/{stringify,termidx,uniproc} /usr/bin

Configuring JOE

Config Files

/etc/joe/jmacsrc, /etc/joe/joerc, /etc/joe/jpicorc, /etc/joe/jstarrc, /etc/joe/rjoerc, and ~/.joerc

Contents

Installed Programs: jmacs, joe, jpico, jstar, rjoe, stringify, termidx, and uniproc
Installed Libraries: None
Installed Directories: /etc/joe, /usr/share/joe, and /usr/share/doc/joe-4.6

Short Descriptions

jmacs

is a symbolic link to joe used to launch Emacs emulation mode.

joe

is a small text editor capable of emulating WordStar, Pico, and Emacs.

jpico

is a symbolic link to joe used to launch Pico emulation mode.

jstar

is a symbolic link to joe used to launch WordStar emulation mode.

rjoe

is a symbolic link to joe that restricts JOE to editing only files which are specified on the command-line.

stringify

is a program used by joe to convert rc and .jsf files into a C file (see /usr/share/doc/joe-4.6/util/README).

termidx

is a program used by joe to generate the termcap index file (see /usr/share/doc/joe-4.6/util/README).

uniproc

is a program used by joe to generate joe's unicode database file unicat.c from Blocks.txt CaseFolding.txt EastAsianWidth.txt and UnicodeData.txt (find them at /usr/share/doc/joe-4.6/util; see usr/share/doc/joe-4.6/util/README).

Last updated on 2020-02-20 06:05:58 -0800

Kate-19.12.2

Introduction to Kate

The Kate package contains an advanced KF5 based graphical text editor.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Kate Dependencies

Required

KDE Frameworks-5.67.0,

Optional

libgit2

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/kate5

Installation of Kate

Install Kate by running the following commands:

mkdir build &&
cd    build &&

cmake -DCMAKE_INSTALL_PREFIX=$KF5_PREFIX  \
      -DCMAKE_BUILD_TYPE=Release          \
      -DBUILD_TESTING=OFF                 \
      -Wno-dev .. &&
make

This package does not come with a test suite.

Now, as the root user:

make install

Contents

Installed Programs: kate and kwrite
Installed Libraries: libkdeinit5_kate.so and libkdeinit5_kwrite.so
Installed Directories: $KF5_PREFIX/lib/plugins/ktexteditor, $KF5_PREFIX/lib/plugins/plasma/dataengine, $KF5_PREFIX/share/doc/HTML/*/{kate,katepart,kwrite}, $KF5_PREFIX/share/{kateproject,katexmltools}, $KF5_PREFIX/share/kxmlgui5/{kate,katebuild,katecloseexceptplugin}, $KF5_PREFIX/share/kxmlgui5/{katectags,katefiletree,kategdb}, $KF5_PREFIX/share/kxmlgui5/{katekonsole,kateopenheaderplugin}, $KF5_PREFIX/share/kxmlgui5/{kateproject,katesearch,katesnippets}, $KF5_PREFIX/share/kxmlgui5/{katesql,katesymbolviewer,katexmltools}, $KF5_PREFIX/share/kxmlgui5/{kwrite,tabswitcher} and $KF5_PREFIX/share/plasma/plasmoids/org.kde.plasma.katesessions

Short Descriptions

kate

is an advanced text editor for kde.

kwrite

is a text editor for KDE, that is a light version of kate.

Last updated on 2020-02-19 16:31:22 -0800

Mousepad-0.4.2

Introduction to Mousepad

Mousepad is a simple GTK+ 2 text editor for the Xfce desktop environment.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Mousepad Dependencies

Required

gtksourceview-3.24.11 (optionally, it can be built with gtksourceview-2) and Xfconf-4.14.1

Optional

DConf-0.34.0 (runtime) and dbus-glib-0.110

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/mousepad

Installation of Mousepad

Install Mousepad by running the following commands:

./configure --prefix=/usr --enable-keyfile-settings &&
make

This package does not come with a test suite.

Now, as the root user:

make install

Command Explanations

--enable-keyfile-settings: Use the GSettings keyfile backend rather than the default DConf-0.34.0.

Contents

Installed Program: mousepad
Installed Libraries: None
Installed Directories: None

Short Descriptions

mousepad

is a simple GTK+ 2 text editor.

Last updated on 2020-02-20 06:05:58 -0800

Nano-4.8

Introduction to Nano

The Nano package contains a small, simple text editor which aims to replace Pico, the default editor in the Pine package.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/Nano

Installation of Nano

Install Nano by running the following commands:

./configure --prefix=/usr     \
            --sysconfdir=/etc \
            --enable-utf8     \
            --docdir=/usr/share/doc/nano-4.8 &&
make

This package does not come with a test suite.

Now, as the root user:

make install &&
install -v -m644 doc/{nano.html,sample.nanorc} /usr/share/doc/nano-4.8

Command Explanations

--enable-utf8: This switch enables unicode support in Nano.

Configuring nano

Config Files

/etc/nanorc and ~/.nanorc

Configuration Information

Example configuration (create as a system-wide /etc/nanorc or a personal ~/.nanorc file)

set autoindent
set constantshow
set fill 72
set historylog
set multibuffer
set nohelp
set positionlog
set quickblank 
set regexp
set suspend

Check the sample.nanorc file in the installed documentation directory. It includes color configurations and has some documentation included in the comments.

Syntax highlighting is provided for several file types, in /usr/share/nano/ directory. E.g., for shell scripts, you can insert include /usr/share/nano/sh.nanorc in the personal or global configuration file. If you wish highlighting for all supported files, use include /usr/share/nano/*.nanorc.

Contents

Installed Programs: nano and rnano (symlink)
Installed Libraries: None
Installed Directories: /usr/share/nano and /usr/share/doc/nano-4.8

Short Descriptions

nano

is a small, simple text editor which aims to replace Pico, the default editor in the Pine package.

rnano

is a restricted mode for nano.

Last updated on 2020-02-20 06:05:58 -0800

Vim-8.2.0190

Introduction to Vim

The Vim package, which is an abbreviation for VI IMproved, contains a vi clone with extra features as compared to the original vi.

The default LFS instructions install vim as a part of the base system. If you would prefer to link vim against X, you should recompile vim to enable GUI mode. There is no need for special instructions since X support is automatically detected.

Note

The version of vim changes daily. The get the latest version, go to https://github.com/vim/vim/releases.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Vim Dependencies

Recommended
Optional

GPM-1.20.7, Lua-5.3.5, Python-2.7.17, rsync-3.1.3, Ruby-2.7.0, and Tcl-8.6.10

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/vim

Installation of Vim

Note

If you recompile Vim to link against X and your X libraries are not on the root partition, you will no longer have an editor for use in emergencies. You may choose to install an additional editor, not link Vim against X, or move the current vim executable to the /bin directory under a different name such as vi.

Install Vim by running the following commands:

echo '#define SYS_VIMRC_FILE  "/etc/vimrc"' >>  src/feature.h &&
echo '#define SYS_GVIMRC_FILE "/etc/gvimrc"' >> src/feature.h &&

./configure --prefix=/usr        \
            --with-features=huge \
            --enable-gui=gtk3    \
            --with-tlib=ncursesw &&
make

To test the results, issue: make test. The vim test suite outputs a lot of binary data to the screen, which can cause issues with the settings of the current terminal. This can be resolved by redirecting the output to a log file. Even if one of the tests fails to produce the file test.out in src/testdir, the remaining tests will still be executed. If all goes well,the log will report ALL DONE. Note: Some color tests expect to be executed under the xterm terminal emulator. Three tests are known to fail occasionally and can be ignored.

Now, as the root user:

make install

By default, Vim's documentation is installed in /usr/share/vim. The following symlink allows the documentation to be accessed via /usr/share/doc/vim-8.2.0190, making it consistent with the location of documentation for other packages:

ln -snfv ../vim/vim82/doc /usr/share/doc/vim-8.2.0190

If you wish to update the runtime files, issue the following command (requires rsync-3.1.3):

rsync -avzcP --exclude="/dos/" --exclude="/spell/" \
    ftp.nluug.nl::Vim/runtime/ ./runtime/

To install the runtime files and regenerate the tags file, as the root user issue:

make -C src installruntime &&
vim -c ":helptags /usr/share/doc/vim-8.2.0190" -c ":q"

Command Explanations

--with-features=huge: This switch enables all the additional features available in Vim, including support for multibyte characters.

--with-tlib=ncursesw: This switch forces Vim to link against the libncursesw library.

--enable-gui=no: This will prevent compilation of the GUI. Vim will still link against X, so that some features such as the client-server model or the x11-selection (clipboard) are still available.

--without-x: If you prefer not to link Vim against X, use this switch.

--enable-perlinterp, --enable-pythoninterp, --enable-tclinterp, --enable-rubyinterp: These options include the Perl, Python, Tcl, or Ruby interpreters that allow using other application code in vim scripts.

Configuring Vim

Config Files

/etc/vimrc and ~/.vimrc

Desktop File

If desired, create a menu entry for graphical vim, gvim.desktop, as the root user

cat > /usr/share/applications/gvim.desktop << "EOF"
[Desktop Entry]
Name=GVim Text Editor
Comment=Edit text files
Comment[pt_BR]=Edite arquivos de texto
TryExec=gvim
Exec=gvim -f %F
Terminal=false
Type=Application
Icon=gvim.png
Categories=Utility;TextEditor;
StartupNotify=true
MimeType=text/plain;
EOF

Configuration Information

Vim has an integrated spell checker which you can enable it if you issue the following in a vim window:

:setlocal spell spelllang=ru

This setting will enable spell checking for the Russian language for the current session.

By default, Vim only installs spell files for the English language. If a spell file is not available for a language, then Vim will call the $VIMRUNTIME/plugin/spellfile.vim plugin and will try to obtain the *.spl and optionally *.sug from the vim ftp server, by using the $VIMRUNTIME/plugin/netrwPlugin.vim plugin.

Alternatively you can manually download the *.spl and *.sug files from: ftp://ftp.vim.org/pub/vim/runtime/spell/ and save them to ~/.vim/spell or in /usr/share/vim/vim82/spell/.

To find out what's new in Vim-8.2.0190 issue the following command:

:help version-8.2.0190

For additional information on setting up Vim configuration files, see The vimrc Files and http://vim.wikia.com/wiki/Example_vimrc.

Contents

A list of the reinstalled files, along with their short descriptions can be found in the LFS Vim Installation Instructions

Installed Programs: gview, gvim, gvimdiff, gvimtutor, rgview, and rgvim
Installed Libraries: None
Installed Directory: /usr/share/vim

Short Descriptions

gview

starts gvim in read-only mode.

gvim

is the editor that runs under X and includes a GUI.

gvimdiff

edits two or three versions of a file with gvim and shows the differences.

gvimtutor

teaches the basic keys and commands of gvim.

rgview

is a restricted version of gview.

rgvim

is a restricted version of gvim.

Last updated on 2020-02-20 08:59:05 -0800

Other Editors

  • Geany is a text editor using the GTK+2 toolkit with basic features of an integrated development environment. It was developed to provide a small and fast IDE, which has only a few dependencies from other packages. It supports many filetypes and has some nice features.

  • Leafpad is a very simple text editor using the GTK+2 toolkit.

  • mcedit is a text editor installed as part of MC-4.8.24.

Last updated on 2019-04-23 14:44:53 -0700

Chapter 7. Shells

We are all familiar with the Bourne Again SHell, but there are two other user interfaces that are considered useful modern shells – the Berkeley Unix C shell and the Korn shell. This chapter installs packages compatible with these additional shell types.

Dash-0.5.10.2

Introduction to Dash

Dash is a POSIX compliant shell. It can be installed as /bin/sh or as the default shell for either root or a second user with a userid of 0. It depends on fewer libraries than the Bash shell and is therefore less likely to be affected by an upgrade problem or disk failure. Dash is also useful for checking that a script is completely compatible with POSIX syntax.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Dash Dependencies

Optional

libedit (command line editor library)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/dash

Installation of Dash

Install Dash by running the following commands:

./configure --bindir=/bin --mandir=/usr/share/man &&
make

This package does not come with a test suite.

Now, as the root user:

make install

If you would like to make dash the default sh, recreate the /bin/sh symlink as the root user:

Note

If you create the symbolic link from dash to sh, you will need to reset the link to bash to build LFS.

ln -svf dash /bin/sh

Command Explanations

--bindir=/bin: This parameter places the dash binary into the root filesystem.

--with-libedit: To compile Dash with libedit support.

Configuring Dash

Config Files

Dash sources /etc/profile and ~/.profile

Configuration Information

Update /etc/shells to include the Dash shell by issuing the following command as the root user:

cat >> /etc/shells << "EOF"
/bin/dash
EOF

Contents

Installed Program: dash
Installed Libraries: None
Installed Directories: None

Short Description

dash

is a POSIX compliant shell.

Last updated on 2020-02-17 18:27:03 -0800

Tcsh-6.22.02

Introduction to Tcsh

The Tcsh package contains an enhanced but completely compatible version of the Berkeley Unix C shell (csh). This is useful as an alternative shell for those who prefer C syntax to that of the bash shell, and also because some programs require the C shell in order to perform installation tasks.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/tcsh

Installation of Tcsh

Install Tcsh by running the following commands:

./configure --prefix=/usr --bindir=/bin &&

make &&
sh ./tcsh.man2html

To test the results, issue: make check.

Now, as the root user:

make install install.man &&

ln -v -sf tcsh   /bin/csh &&
ln -v -sf tcsh.1 /usr/share/man/man1/csh.1 &&

install -v -m755 -d          /usr/share/doc/tcsh-6.22.02/html &&
install -v -m644 tcsh.html/* /usr/share/doc/tcsh-6.22.02/html &&
install -v -m644 FAQ         /usr/share/doc/tcsh-6.22.02

Command Explanations

--bindir=/bin: This installs the tcsh program in /bin instead of /usr/bin.

sh ./tcsh.man2html: This creates HTML documentation from the formatted man page.

ln -v -sf tcsh /bin/csh: The FHS states that if there is a C shell installed, there should be a symlink from /bin/csh to it. This creates that symlink.

Configuring Tcsh

Config Files

There are numerous configuration files for the C shell. Examples of these are /etc/csh.cshrc, /etc/csh.login, /etc/csh.logout, ~/.tcshrc, ~/.cshrc, ~/.history, ~/.cshdirs, ~/.login, and ~/.logout. More information on these files can be found in the tcsh(1) man page.

Configuration Information

Update /etc/shells to include the C shell program names (as the root user):

cat >> /etc/shells << "EOF"
/bin/tcsh
/bin/csh
EOF

The following ~/.cshrc provides two alternative colour prompts and coloured ls output. If you prefer a global modification, issue the command as the root user, replacing ~/.cshrc by /etc/csh.cshrc.

cat > ~/.cshrc << "EOF"
# Original at:
# https://www.cs.umd.edu/~srhuang/teaching/code_snippets/prompt_color.tcsh.html

# Modified by the BLFS Development Team.

# Add these lines to your ~/.cshrc (or to /etc/csh.cshrc).

# Colors!
set     red="%{\033[1;31m%}"
set   green="%{\033[0;32m%}"
set  yellow="%{\033[1;33m%}"
set    blue="%{\033[1;34m%}"
set magenta="%{\033[1;35m%}"
set    cyan="%{\033[1;36m%}"
set   white="%{\033[0;37m%}"
set     end="%{\033[0m%}" # This is needed at the end...

# Setting the actual prompt.  Two separate versions for you to try, pick
# whichever one you like better, and change the colors as you want.
# Just don't mess with the ${end} guy in either line...  Comment out or
# delete the prompt you don't use.

set prompt="${green}%n${blue}@%m ${white}%~ ${green}%%${end} "
set prompt="[${green}%n${blue}@%m ${white}%~ ]${end} "

# This was not in the original URL above
# Provides coloured ls
alias ls ls --color=always

# Clean up after ourselves...
unset red green yellow blue magenta cyan yellow white end
EOF

Contents

Installed Program: tcsh
Installed Libraries: None
Installed Directory: /usr/share/doc/tcsh-6.22.02

Short Descriptions

tcsh

is an enhanced but completely compatible version of the Berkeley Unix C shell, csh. It is usable as both an interactive shell and a script processor.

Last updated on 2020-02-17 18:27:03 -0800

zsh-5.8

Introduction to zsh

The zsh package contains a command interpreter (shell) usable as an interactive login shell and as a shell script command processor. Of the standard shells, zsh most closely resembles ksh but includes many enhancements.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

  • Download (HTTP): http://www.zsh.org/pub/zsh-5.8.tar.xz

  • Download MD5 sum: e02a5428620b3dd268800c7843b3dd4d

  • Download size: 3.0 MB

  • Estimated disk space required: 72 MB (includes documentation and tests)

  • Estimated build time: 1.3 SBU (Using parallelism=4; includes documentation and tests)

Additional Downloads

Note

When there is a new zsh release, the old files shown above are moved to a new server directory: http://www.zsh.org/pub/old/.

zsh Dependencies

Optional

libcap-2.31 with PAM, PCRE-8.44, and Valgrind-3.15.0,

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/zsh

Installation of zsh

If you downloaded the optional documentation, unpack it with the following command:

tar --strip-components=1 -xvf ../zsh-5.8-doc.tar.xz

Install zsh by running the following commands:

./configure --prefix=/usr         \
            --bindir=/bin         \
            --sysconfdir=/etc/zsh \
            --enable-etcdir=/etc/zsh                  &&
make                                                  &&

makeinfo  Doc/zsh.texi --plaintext -o Doc/zsh.txt     &&
makeinfo  Doc/zsh.texi --html      -o Doc/html        &&
makeinfo  Doc/zsh.texi --html --no-split --no-headers -o Doc/zsh.html

If you have texlive-20190410 installed, you can build PDF format of the documentation by issuing the following command:

texi2pdf  Doc/zsh.texi -o Doc/zsh.pdf

To test the results, issue: make check.

Now, as the root user:

make install                              &&
make infodir=/usr/share/info install.info &&

install -v -m755 -d                 /usr/share/doc/zsh-5.8/html &&
install -v -m644 Doc/html/*         /usr/share/doc/zsh-5.8/html &&
install -v -m644 Doc/zsh.{html,txt} /usr/share/doc/zsh-5.8

If you downloaded the optional documentation, install it by issuing the following commands as the root user:

make htmldir=/usr/share/doc/zsh-5.8/html install.html &&
install -v -m644 Doc/zsh.dvi /usr/share/doc/zsh-5.8

If you built the PDF format of the documentation, install it by issuing the following command as the root user:

install -v -m644 Doc/zsh.pdf /usr/share/doc/zsh-5.8

Command Explanations

--sysconfdir=/etc/zsh and --enable-etcdir=/etc/zsh: These parameters are used so that all the zsh configuration files are consolidated into the /etc/zsh directory. Omit these parameters if you wish to retain historical compatibility by having all the files located in the /etc directory.

--bindir=/bin: This parameter places the zsh binaries into the root filesystem.

--enable-cap: This option enables POSIX capabilities.

--disable-gdbm: This option disables the use of the GDBM library.

--enable-pcre: This option allows zsh to use the PCRE regular expression library in shell builtins.

Multiple partitions

Linking zsh dynamically against pcre and/or gdbm produces runtime dependencies on libpcre.so and/or libgdbm.so respectively, which both reside in /usr hierarchy. If /usr is a separate mount point and zsh needs to be available in boot time, then its supporting libraries should be in /lib too. You can move the libraries as follows:

mv -v /usr/lib/libpcre.so.* /lib &&
ln -v -sf ../../lib/libpcre.so.0 /usr/lib/libpcre.so

mv -v /usr/lib/libgdbm.so.* /lib &&
ln -v -sf ../../lib/libgdbm.so.3 /usr/lib/libgdbm.so

Alternatively you can statically link zsh against pcre and gdbm if you modify the config.modules file (you need first to run configure to generate it).

Configuring zsh

Config Files

There are a whole host of configuration files for zsh including /etc/zsh/zshenv, /etc/zsh/zprofile, /etc/zsh/zshrc, /etc/zsh/zlogin and /etc/zsh/zlogout. You can find more information on these in the zsh(1) and related manual pages.

The first time zsh is executed, you will be prompted by messages asking several questions. The answers will be used to create a ~/.zshrc file. If you wish to run these questions again, run zsh /usr/share/zsh/5.8/functions/zsh-newuser-install -f.

There are several built-in advanced prompts. In the zsh shell, start advanced prompt support with autoload -U promptinit, then promptinit. Available prompt names are listed with prompt -l. Select a particular one with prompt <prompt-name>. Display all available prompts with prompt -p. Except for the list and display commands above, you can insert the other ones in ~/.zshrc to be automatically executed at shell start, with the prompt you chose.

Configuration Information

Update /etc/shells to include the zsh shell program names (as the root user):

cat >> /etc/shells << "EOF"
/bin/zsh
EOF

Contents

Installed Programs: zsh and zsh-5.8 (hardlinked to each other)
Installed Libraries: Numerous plugin helper modules under /usr/lib/zsh/5.8/
Installed Directories: /usr/{lib,share}/zsh and /usr/share/doc/zsh-5.8

Short Description

zsh

is a shell which has command-line editing, built-in spelling correction, programmable command completion, shell functions (with autoloading), a history mechanism, and a host of other features.

Last updated on 2020-02-17 18:27:03 -0800

Chapter 8. Virtualization

Virtualization allows running a complete operating system, or virtual machine (VM), within another operating environment as a task. There are several commercial and open source environments that either emulate another processor or utilize the hardware virtualization features of the host processor.

qemu-4.2.0

Introduction to qemu

qemu is a full virtualization solution for Linux on x86 hardware containing virtualization extensions (Intel VT or AMD-V).

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

  • Download (HTTP): http://download.qemu-project.org/qemu-4.2.0.tar.xz

  • Download MD5 sum: 278eeb294e4b497e79af7a57e660cb9a

  • Download size: 59 MB

  • Estimated disk space required: 1.1 G (add 0.4 GB for tests)

  • Estimated build time: 0.9 SBU (using parallelism=4; add 4.2 SBU for tests)

Qemu Dependencies

Required

GLib-2.62.4, and X Window System

Recommended
Optional

Depending on the sound system, various packages in ALSA-1.2.1, Python-3.8.1, PulseAudio-13.0, BlueZ-5.53, cURL-7.68.0, Cyrus SASL-2.1.27, GnuTLS-3.6.12, GTK+-2.24.32, GTK+-3.24.13, libusb-1.0.23, libgcrypt-1.8.5, libssh2-1.9.0, LZO-2.10, Nettle-3.5.1, Mesa-19.3.4, SDL-1.2.15, VTE-0.58.3 or Vte-0.28.2, and libcacard

Note

This optional dependencies list is not comprehensive. See the output of ./configure --help for a more complete list.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/qemu

KVM Prerequisites

Before building qemu, check to see if your processor supports Virtualization Technology (VT):

egrep '^flags.*(vmx|svm)' /proc/cpuinfo

If you get any output, you have VT technology (vmx for Intel processors and svm for AMD processors). You then need to go into your system BIOS and ensure it is enabled. After enabing, reboot back to your LFS instance.

Kernel Configuration

Enable the following options in the kernel configuration and recompile the kernel if necessary:

[*] Virtualization:  --->                            [CONFIG_VIRTUALIZATION]
  <*/M>   Kernel-based Virtual Machine (KVM) support [CONFIG_KVM]
  <*/M>     KVM for Intel processors support         [CONFIG_KVM_INTEL]
  <*/M>     KVM for AMD processors support           [CONFIG_KVM_AMD]

The Intel or AMD settings are not both required, but the one matching your system processor is required.

To use the bridge network device, as explained below, check that bridge-utils-1.6 is installed and the following options in the kernel configuration are enabled:

[*] Networking support  --->                         [CONFIG_NET]
  Networking options  --->
    <*/M> 802.1d Ethernet Bridging                   [CONFIG_BRIDGE]
Device Drivers  --->
  [*] Network device support  --->                   [CONFIG_NETDEVICES]
    <*/M>    Universal TUN/TAP device driver support [CONFIG_TUN]

Installation of qemu

You will need a dedicated group that will contain users (other than root) allowed to access the KVM device. Create this group by running the following command as the root user:

groupadd -g 61 kvm

Add any users that might use the KVM device to that group:

usermod -a -G kvm <username>

Install qemu by running the following commands:

Note

Qemu is capable of running many targets. The build process is also capable of building multiple targets at one time in a comma delimited list assigned to --target-list. Run ./configure --help to get a complete list of available targets.

if [ $(uname -m) = i686 ]; then
   QEMU_ARCH=i386-softmmu
else
   QEMU_ARCH=x86_64-softmmu
fi


mkdir -vp build &&
cd        build &&

../configure --prefix=/usr               \
             --sysconfdir=/etc           \
             --target-list=$QEMU_ARCH    \
             --audio-drv-list=alsa       \
             --docdir=/usr/share/doc/qemu-4.2.0 &&

unset QEMU_ARCH &&

make

To run the built in tests, run make V=1 -k check.

Now, as the root user:

make install

You will also need to add an Udev rule so that the KVM device gets correct permissions:

cat > /lib/udev/rules.d/65-kvm.rules << "EOF"
KERNEL=="kvm", GROUP="kvm", MODE="0660"
EOF

Change the permissions and ownership of a helper script, which is needed when using the bridge network device (see below):

chgrp kvm  /usr/libexec/qemu-bridge-helper &&
chmod 4750 /usr/libexec/qemu-bridge-helper

Note

For convenience you may want to create a symbolic link to run the installed program. For instance:

ln -sv qemu-system-`uname -m` /usr/bin/qemu

Command Explanations

--audio-drv-list=alsa: This switch sets the audio driver to ALSA. See below for enabling other audio drivers.

--audio-drv-list=pa: This switch sets the audio driver to pulseaudio. For other drivers see the --audio-drv-list list in configure's help output. The default audio driver is OSS. To enable support for both alsa and pulseaudio, use --audio-drv-list=alsa,pa.

Using Qemu

Since using qemu means using a virtual computer, the steps to set up the virtual machine are in close analogy with those to set up a real computer. You'll need to decide about CPU, memory, disk, USB devices, network card(s), screen size, etc. Once the hardware is decided, you'll have for example to choose how to connect the machine to internet, and/or to install an OS. In the following, we show basic ways of performing those steps. But qemu is much more than this, and it is strongly advised to read the qemu documentation in /usr/share/doc/qemu-4.2.0/qemu-doc.html.

Note

It is standard practice to name the computer running qemu host and the emulated machine running under qemu the guest. We'll use those notations in the following.

Note

The following instructions assume the optional symbolic link, qemu, has been created. Additionally, qemu must be run from an X Window System based terminal (either locally or over ssh).

Disk

A virtual disk may be set up in the following way:

VDISK_SIZE=50G
VDISK_FILENAME=vdisk.img
qemu-img create -f qcow2 $VDISK_FILENAME $VDISK_SIZE

The virtual disk size and filename should be ajusted as desired. The actual size of the file will be less than specified, but will expand as needed, so it is safe to put a high value.

Operating System

To install an operating system, download an iso image from your preferred Linux distribution. For the purposes of this example, we'll use Fedora-16-x86_64-Live-LXDE.iso in the current directory. Run the following:

qemu -enable-kvm                           \
     -drive file=$VDISK_FILENAME           \
     -cdrom Fedora-16-x86_64-Live-LXDE.iso \
     -boot d                               \
     -m 1G

Follow the normal installation procedures for the chosen distribution. The -boot option specifies the boot order of drives as a string of drive letters. Valid drive letters are: a, b (floppy 1 and 2), c (first hard disk), d (first CD-ROM). The -m option is the amount of memory to use for the virtual machine. The choice depends on the load of the host. Modern distributions should be comfortable with 1GB. The -enable-kvm option allows hardware acceleration. Without this switch, the emulation is much slower.

Defining the virtual hardware

The virtual machine hardware is defined by the qemu command line. An example command is given below:

qemu -enable-kvm                     \
     -smp 4                          \
     -cpu host                       \
     -m 1G                           \
     -drive file=$VDISK_FILENAME     \
     -cdrom grub-img.iso             \
     -boot order=c,once=d,menu=on    \
     -net nic,netdev=net0            \
     -netdev user,id=net0            \
     -soundhw ac97                   \
     -vga std                        \
     -serial mon:stdio               \
     -name "fedora-16"

Meaning of the command line options

-enable-kvm: enable full KVM virtualization support. On some hardware, it may be necessary to add the undocumented -machine smm=off option in order to enable KVM.

-smp <N>: enable symmetric multiprocessing with <N> CPUs.

-cpu <model>: simulate CPU <model>. the list of supported models can be obtained with -cpu help.

-drive file=<filename>: defines a virtual disk whose image is stored in <filename>.

-cdrom grub-img.iso: defines an iso formated file to use as a cdrom. Here we use a grub rescue disk, which may turn handy when something goes wrong at boot time.

-boot order=c,once=d,menu=on: defines the boot order for the virtual BIOS.

-net nic,netdev=<netid>: defines a network card connected to the network device with id <netid>.

-netdev user,id=<netid>: defines the network user device. This is a virtual local network with addresses 10.0.2.0/24, where the host has address 10.0.2.2 and acts as a gateway to internet, and with a name server at address 10.0.2.3, and an smb server at address 10.0.2.4. A builtin DHCP server can allocate addresses between 10.0.2.15 and 10.0.2.31.

-soundhw <model>: defines the soundcard model. The list may be obtained with -soundhw help.

-vga <type>: defines the type of vga card to emulate.

-serial mon:stdio: sends the serial port of the guest (/dev/ttyS0 on linux guests), multiplexed with the qemu monitor, to the standard input and output of the qemu process.

-name <name>: sets the name of the guest. This name is displayed in the guest window caption. It may be useful if you run several guests at the same time.

Controlling the Emulated Display

It may happen that the guest window displayed by qemu does not correspond to the full capability of the emulated vga card. For example, the vmware card is 1600x900 capable, but only 1024x768 is displayed by default. A suitable Xorg configuration on the guest allows to use the full size (Note that the Xorg video driver to use is Xorg VMware Driver-13.3.0):

cat > /usr/share/X11/xorg.conf.d/20-vmware.conf << "EOF"
Section         "Monitor"
  Identifier    "Monitor0"
  # cvt 1600 900
  # 1600x900 59.95 Hz (CVT 1.44M9) hsync: 55.99 kHz; pclk: 118.25 MHz
  Modeline      "1600x900"  118.25  1600 1696 1856 2112  900 903 908 934 -hsync +vsync
  Option        "PreferredMode" "1600x900"
  HorizSync     1-200
  VertRefresh   1-200
EndSection

Section         "Device"
  Identifier    "VMware SVGA II Adapter"
  Option        "Monitor" "default"
  Driver        "vmware"
EndSection

Section         "Screen"
  Identifier    "Default Screen"
  Device        "VMware SVGA II Adapter"
  Monitor       "Monitor0"

  SubSection    "Display"
    Depth       24
    Modes       "1600x900" "1440x900" "1366x768" "1280x720" "800x480"
  EndSubSection

EndSection
EOF

New sizes will be available besides the native ones. You need to restart X in order to have the new sizes available.

Networking

The above solution for networking allows the guest to access the local network through the host (and possibly to access internet through the local routers), but the converse is not true. Not even the host can access the guest, unless port forwarding is enabled. And in the case several guests are running, they cannot communicate with each other. Other network devices can be used for this purpose. For example, there is the socket device, which allows several guests to share a common virtual network. In the following, we describe in more details how to set up the bridge device, which allows the guests to appear as if connected to the local network. All the commands below should be run as the root user.

Set up bridging with bridge-utils-1.6. Only the physical interface(s) should be set up at boot. The virtual interface(s) will be added as needed when qemu is started.

Set up a required configuration file:

install -vdm 755 /etc/qemu &&
echo allow br0 > /etc/qemu/bridge.conf

In the command above, replace the switch -netdev user,... with -netdev bridge,id=net0.

Contents

Installed Programs: ivshmem-client, ivshmem-server, qemu (symlink), qemu-ga, qemu-img, qemu-io, qemu-nbd, qemu-system-<arch>, and virtfs-proxy-helper
Installed Library: None
Installed Directories: /usr/share/qemu and /usr/share/doc/qemu-4.2.0

Short Description

ivshmem-client

is a standalone client for using the ivshmem device.

ivshmem-server

is an example server for the ivshmem device.

qemu-edid

is a test tool for the qemu EDID generator.

qemu-ga

implements support for QMP (QEMU Monitor Protocol) commands and events that terminate and originate respectively within the guest using an agent built as part of QEMU.

qemu-img

provides commands to manage QEMU disk images.

qemu-io

is a diagnostic and manipulation program for (virtual) memory media. It is still at an early stage of development.

qemu-nbd

exports Qemu disk images using the QEMU Disk Network Block Device (NBD) protocol.

qemu-system-x86_64

is the QEMU PC System emulator.

virtfs-proxy-helper

creates a socket pair or a named socket. QEMU and proxy helper communicate using this socket. QEMU proxy fs driver sends filesystem request to proxy helper and receives the response from it.

Last updated on 2020-02-20 12:41:28 -0800

Part III. General Libraries and Utilities

Chapter 9. General Libraries

Libraries contain code which is often required by more than one program. This has the advantage that each program doesn't need to duplicate code (and risk introducing bugs), it just has to call functions from the libraries installed on the system. The most obvious example of a set of libraries is Glibc which is installed during the LFS book. This contains all of the C library functions which programs use.

There are two types of libraries: static and shared. Shared libraries (usually libXXX.so) are loaded into memory from the shared copy at runtime (hence the name). Static libraries (libXXX.a ) are actually linked into the program executable file itself, thus making the program file larger. Quite often, you will find both static and shared copies of the same library on your system.

Generally, you only need to install libraries when you are installing software that needs the functionality they supply. In the BLFS book, each package is presented with a list of (known) dependencies. Thus, you can figure out which libraries you need to have before installing that program. If you are installing something without using BLFS instructions, usually the README or INSTALL file will contain details of the program's requirements.

There are certain libraries which nearly everyone will need at some point. In this chapter these and some others are listed and it is explained why you may want to install them.

Apr-1.7.0

Introduction to Apr

The Apache Portable Runtime (APR) is a supporting library for the Apache web server. It provides a set of application programming interfaces (APIs) that map to the underlying Operating System (OS). Where the OS doesn't support a particular function, APR will provide an emulation. Thus programmers can use the APR to make a program portable across different platforms.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/apr

Installation of Apr

Install Apr by running the following commands:

./configure --prefix=/usr    \
            --disable-static \
            --with-installbuilddir=/usr/share/apr-1/build &&
make

To test the results, issue: make test.

Now, as the root user:

make install

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

Contents

Installed Program: apr-1-config
Installed Library: libapr-1.so
Installed Directories: /usr/include/apr-1 and /usr/share/apr-1

Short Descriptions

apr-1-config

is a shell script used to retrieve information about the apr library in the system. It is typically used to compile and link against the library.

libapr-1.so

is the Apache Portable Runtime library.

Last updated on 2020-02-15 08:54:30 -0800

Apr-Util-1.6.1

Introduction to Apr Util

The Apache Portable Runtime Utility Library provides a predictable and consistent interface to underlying client library interfaces. This application programming interface assures predictable if not identical behaviour regardless of which libraries are available on a given platform.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Apr Util Dependencies

Required

Apr-1.7.0

Optional

Berkeley DB-5.3.28, FreeTDS, MariaDB-10.4.12 or MySQL, OpenLDAP-2.4.49, PostgreSQL-12.2, SQLite-3.31.1 and unixODBC-2.3.7

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/apr-util

Installation of Apr Util

Install Apr Util by running the following commands:

./configure --prefix=/usr       \
            --with-apr=/usr     \
            --with-gdbm=/usr    \
            --with-openssl=/usr \
            --with-crypto &&
make

To test the results, issue: make test. One test, testdbm, is known to fail.

Now, as the root user:

make install

Command Explanations

--with-gdbm=/usr: This switch enables the apr_dbm_gdbm-1.so plugin.

--with-openssl=/usr --with-crypto: These switches enable the apr_crypto_openssl-1.so plugin.

--with-berkeley-db=/usr: If you have installed Berkeley DB-5.3.28, use this switch to compile the apr_dbm_db-1.so plugin.

--with-ldap: If you have installed OpenLDAP-2.4.49, use this switch to compile the apr_ldap.so plugin.

Contents

Installed Program: apu-1-config
Installed Library: libaprutil-1.so
Installed Directory: /usr/lib/apr-util-1

Short Descriptions

apu-1-config

is an APR-util script designed to allow easy command line access to APR-util configuration parameters.

libaprutil-1.so

contains functions that provide a predictable and consistent interface to underlying client library interfaces.

Last updated on 2020-02-15 08:54:30 -0800

Aspell-0.60.8

Introduction to Aspell

The Aspell package contains an interactive spell checking program and the Aspell libraries. Aspell can either be used as a library or as an independent spell checker.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Additional Downloads

You'll need to download at least one dictionary. The link below will take you to a page containing links to dictionaries in many languages.

Aspell Dependencies

Required

Which-2.21 (for the dictionaries)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/aspell

Installation of Aspell

Install Aspell by running the following commands:

./configure --prefix=/usr &&
make

This package does not come with a test suite.

Now, as the root user:

make install &&
ln -svfn aspell-0.60 /usr/lib/aspell &&

install -v -m755 -d /usr/share/doc/aspell-0.60.8/aspell{,-dev}.html &&

install -v -m644 manual/aspell.html/* \
    /usr/share/doc/aspell-0.60.8/aspell.html &&

install -v -m644 manual/aspell-dev.html/* \
    /usr/share/doc/aspell-0.60.8/aspell-dev.html

If you do not plan to install Ispell, then copy the wrapper script ispell:

install -v -m 755 scripts/ispell /usr/bin/

If you do not plan to install Spell, then copy the wrapper script spell:

install -v -m 755 scripts/spell /usr/bin/

Command Explanations

ln -svfn aspell-0.60 /usr/lib/aspell: This command is useful for configuration of other applications, such as enchant-2.2.7.

Configuring Aspell

Configuration Information

After Aspell is installed, you must set up at least one dictionary. Install one or more dictionaries by running the following commands:

./configure &&
make

Now, as the root user:

make install

Contents

Installed Programs: aspell, aspell-import, precat, preunzip, prezip, prezip-bin, pspell-config, run-with-aspell, word-list-compress and optionally, ispell and spell.
Installed Libraries: libaspell.so and libpspell.so
Installed Directories: /usr/include/pspell and /usr/lib/aspell-0.60

Short Descriptions

aspell

is a utility that can function as an ispell -a replacement, as an independent spell checker, as a test utility to test out Aspell features, and as a utility for managing dictionaries.

ispell

is a wrapper around aspell to invoke it in ispell compatible mode.

spell

is a wrapper around aspell to invoke it in spell compatible mode.

aspell-import

imports old personal dictionaries into Aspell.

precat

decompresses a prezipped file to stdout.

preunzip

decompresses a prezipped file.

prezip

is a prefix delta compressor, used to compress sorted word lists or other similar text files.

prezip-bin

is called by the various wrapper scripts to perform the actual compressing and decompressing.

pspell-config

displays information about the libpspell installation, mostly for use in build scripts.

run-with-aspell

is a script to help use Aspell as an ispell replacement.

word-list-compress

compresses or decompresses sorted word lists for use with the Aspell spell checker.

libaspell.so

contains spell checking API functions.

libpspell.so

is an interface to the libaspell library. All the spell checking functionality is now in libaspell but this library is included for backward compatibility.

Last updated on 2020-02-16 18:46:23 -0800

Boost-1.72.0

Introduction to Boost

Boost provides a set of free peer-reviewed portable C++ source libraries. It includes libraries for linear algebra, pseudorandom number generation, multithreading, image processing, regular expressions and unit testing.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Boost Dependencies

Recommended
Optional

ICU-65.1 and Open MPI

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/boost

Installation of Boost

This package can be built with several jobs running in parallel. In the instructions below, <N> stands for the number of jobs. Install Boost by running the following commands:

./bootstrap.sh --prefix=/usr &&
./b2 stage -j<N> threading=multi link=shared

To run the Boost.Build's regression test, Python-2.7.17 is required. Run the tests with: issue pushd tools/build/test; python3 test_all.py; popd. All 152 tests should pass.

To run every library's regression tests, issue pushd status; ../b2; popd. A few tests may fail. They take a very long time (over 119 SBU at -j4) and use a very large amount of disk space (46 GB). You should use the -jN switch to speed them up.

Now, as the root user:

./b2 install threading=multi link=shared                 &&
ln -svf detail/sha1.hpp /usr/include/boost/uuid/sha1.hpp

Command Explanations

threading=multi: This parameter ensures that Boost is built with multithreading support.

link=shared: This parameter ensures that only shared libraries are created, except for libboost_exception and libboost_test_exec_monitor which are created as static. Most people will not need the static libraries, and most programs using Boost only use the headers. Omit this parameter if you do need static libraries.

ln -svf detail/sha1.hpp ...: The uuid/sha1.hpp used to be a regular header, but by boost_1_66_0 it had been changed to load the similar detail/sha1.hpp header, with a message that it had been deprecated. It has now been removed, but not every package which uses it has been changed. An example is one of the libraries downloaded as a git version by libreoffice. The symlink enables this and similar packages to build.

-jN: This switch may be added to the b2 command lines, to run up to N processes in parallel.

--with-python=python3: Add this switch to the bootstrap command, if you want Boost to use Python3 instead of Python2. Using Python3 is known to cause the installation to fail on some systems.

Contents

Installed Programs: None
Installed Libraries: libboost_atomic.so, libboost_chrono.a, libboost_chrono.so, libboost_container.so, libboost_context.so, libboost_coroutine.so, libboost_date_time.so, libboost_exception.a, libboost-fiber.so, libboost_filesystem.so, libboost_graph.so, libboost_iostreams.so, libboost_locale.so, libboost_log_setup.so, libboost_log.so, libboost_math_c99.so, libboost_math_c99f.so, libboost_math_c99l.so, libboost_math_tr1.so, libboost_math_tr1f.so, libboost_math_tr1l.so, libboost_prg_exec_monitor.so, libboost_program_options.so, libboost_python27.so or libboost_python3.so, libboost_random.so, libboost_regex.so, libboost_serialization.so, libboost_signals.so, libboost_stacktrace_addr2line.so, libboost_stacktrace_basic.so, libboost_stacktrace_noop.so, libboost_system.a, libboost_system.so, libboost_test_exec_monitor.a, libboost_thread.so, libboost_timer.a, libboost_timer.so, libboost_type_erasure.so, libboost_unit_test_framework.so, libboost_wave.so, and libboost_wserialization.so
Installed Directory: /usr/include/boost

Last updated on 2020-02-16 12:25:07 -0800

brotli-1.0.7

Introduction to Brotli

Brotli provides a general-purpose lossless compression algorithm that compresses data using a combination of a modern variant of the LZ77 algorithm, Huffman coding and 2nd order context modeling. Its libraries are particularly used for WOFF2 fonts on webpages.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

  • Download (HTTP): https://github.com/google/brotli/archive/v1.0.7/brotli-v1.0.7.tar.gz

  • Download MD5 sum: 7b6edd4f2128f22794d0ca28c53898a5

  • Download size: 23 MB

  • Estimated disk space required: 43 MB (add 5 MB if installing both sets of python bindings, add 9 MB for the main test and 5MB for testing the bindings)

  • Estimated build time: 0.2 SBU (add 0.3 SBU for the python bindings, and 1.2 SBU if testing them)

Brotli Dependencies

Required

CMake-3.16.4

Optional

Lua-5.3.5 (to create Lua bindings) and Python-2.7.17 (to create python2 bindings)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/brotli

Installation of Brotli

Install brotli by running the following commands:

mkdir out &&
cd    out &&

cmake -DCMAKE_INSTALL_PREFIX=/usr \
      -DCMAKE_BUILD_TYPE=Release  \
      ..  &&
make

To test the results, issue: make test.

If desired, either or both sets of python bindings can be built and installed without any conflicts. If you need the Python2 bindings, add or substitute python2 for python3 in the following instructions:

pushd ..               &&
python3 setup.py build &&
popd

If you wish to test the bindings, go back to the top-level directory and issue: python3 setup.py test.

Now, as the root user:

make install &&
cd ..

If you have built either or both sets of python bindings, install them as the root user (as before, use the appropriate version(s) of python:

python3 setup.py install --optimize=1

Contents

Installed Programs: brotli
Installed Libraries: libbrotlicommon{-static.a,.so}, libbrotlidec{,-static,.so} and libbrotlienc{,-static,.so}
Installed Directory: /usr/include/brotli

Short Descriptions

brotli

can compress or decompress files, or test the integrity of compressed files.

libbrotlicommon{-static.a,.so}

is the Brotli common dictionary library.

libbrotlidec{-static.a,.so}

is the Brotli decoder library.

libbrotlienc{-static.a,.so}

is the Brotli common encoder library.

Last updated on 2020-02-16 18:46:23 -0800

CLucene-2.3.3.4

Introduction to CLucene

CLucene is a C++ version of Lucene, a high performance text search engine.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Additional Downloads

CLucene Dependencies

Required

CMake-3.16.4

Recommended

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/clucene

Installation of CLucene

Install CLucene by running the following commands:

patch -Np1 -i ../clucene-2.3.3.4-contribs_lib-1.patch &&

mkdir build &&
cd    build &&

cmake -DCMAKE_INSTALL_PREFIX=/usr \
      -DBUILD_CONTRIBS_LIB=ON .. &&
make

Now, as the root user:

make install

Command Explanations

-DBUILD_CONTRIBS_LIB=ON: This cmake variable enables building the CLucene contribs library necessary for running applications that use language specific text analyzers like LibreOffice for example.

Contents

Installed Programs: None
Installed Libraries: libclucene-contribs-lib.so, libclucene-core.so, and libclucene-shared.so
Installed Directories: /usr/include/CLucene and /usr/lib/CLuceneConfig.cmake

Last updated on 2020-02-16 18:46:23 -0800

dbus-glib-0.110

Introduction to D-Bus GLib

The D-Bus GLib package contains GLib interfaces to the D-Bus API.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

D-Bus GLib Dependencies

Required

dbus-1.12.16 and GLib-2.62.4

Optional

GTK-Doc-1.32

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/dbus-glib

Installation of D-Bus GLib

Install D-Bus GLib by running the following commands:

./configure --prefix=/usr     \
            --sysconfdir=/etc \
            --disable-static &&
make

To test the results, issue: make check. Note that more comprehensive tests can be run by following the same method used in D-Bus instructions, which requires building the package twice.

Now, as the root user:

make install

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

--enable-gtk-doc: Use this parameter if GTK-Doc is installed and you wish to rebuild and install the API documentation.

Contents

Installed Program: dbus-binding-tool
Installed Library: libdbus-glib-1.so
Installed Directories: /usr/share/gtk-doc/html/dbus-glib and /usr/share/doc/dbus-glib-0.110

Short Descriptions

dbus-binding-tool

is a tool used to interface with the D-Bus API.

libdbus-glib-1.so

contains GLib interface functions to the D-Bus API.

Last updated on 2020-02-16 18:46:23 -0800

enchant-2.2.7

Introduction to enchant

The enchant package provide a generic interface into various existing spell checking libraries.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

enchant Dependencies

Required

GLib-2.62.4

Recommended
Optional

dbus-glib-0.110, Hspell, Hunspell, Voikko, and unittest-cpp (required for tests)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/enchant

Installation of enchant

Install enchant by running the following commands:

./configure --prefix=/usr --disable-static &&
make

To run tests, unittest-cpp must be installed and the --enable-relocatable option passed to configure above. If these conditions are present, the tests may be run with make check.

Now, as the root user:

make install                                   &&
rm -rf /usr/include/enchant                    &&
ln -sfv enchant-2       /usr/include/enchant   &&
ln -sfv enchant-2       /usr/bin/enchant       &&
ln -sfv libenchant-2.so /usr/lib/libenchant.so &&
ln -sfv enchant-2.pc    /usr/lib/pkgconfig/enchant.pc

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

rm -rf /usr/include/enchant; ln -sfn ...: Create symlinks for this package version so that other other packages can find it using the old name.

Configuring enchant

Config Files

~/.enchant and /usr/share/enchant/enchant.ordering

Configuration Information

You can test your installation and configuration by creating a test file and running the commands in the following (you can replace the en_GB dictionary by any other downloaded when installing Aspell-0.60.8):

cat > /tmp/test-enchant.txt << "EOF"
Tel me more abot linux
Ther ar so many commads
EOF

enchant -d en_GB -l /tmp/test-enchant.txt &&
enchant -d en_GB -a /tmp/test-enchant.txt

You will see a list of the misspelled words followed by a list of alternatives for them.

See more details in the enchant manual page.

Contents

Installed Programs: enchant and enchant-lsmod-2
Installed Libraries: libenchant.so and various backend libraries
Installed Directories: /usr/{include,lib,share}/enchant-2

Short Descriptions

enchant

is a spellchecker

enchant-lsmod-2

lists available backends, languages, and dictionaries.

libenchant.so

contains spell checking interface API functions.

Last updated on 2020-02-16 18:46:23 -0800

Exempi-2.5.1

Introduction to Exempi

Exempi is an implementation of XMP (Adobe's Extensible Metadata Platform).

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Exempi Dependencies

Required

Boost-1.72.0

Optional

Valgrind-3.15.0

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/exempi

Installation of Exempi

If you intend to run the regression tests, first remove a test that depends on an apparently proprietarty Adobe SDK:

sed -i -r '/^\s?testadobesdk/d' exempi/tests/Makefile.am &&
autoreconf -fiv

Install Exempi by running the following commands:

./configure --prefix=/usr --disable-static &&
make

To test the results, issue: make check.

Now, as the root user:

make install

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

Contents

Installed Program: exempi
Installed Library: libexempi.so
Installed Directory: /usr/include/exempi-2.0

Short Descriptions

exempi

is a command line tool to manipulate XMP metadata.

libexempi.so

is a library used to parse XMP metadata.

Last updated on 2020-02-16 18:46:23 -0800

fftw-3.3.8

Introduction to fftw

FFTW is a C subroutine library for computing the discrete Fourier transform (DFT) in one or more dimensions, of arbitrary input size, and of both real and complex data (as well as of even/odd data, i.e. the discrete cosine/sine transforms or DCT/DST).

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/fftw

Installation of fftw

Note

We build fftw three times for different libraries in different numerical precisions: the default double precision floating point, the older 32-bit (single precision) version named float which sacrifices precision for speed, and the long double which offers increased precision at the cost of slower execution.

The first build is for double precision arithmetic. Install fftw by running the following commands:

./configure --prefix=/usr    \
            --enable-shared  \
            --enable-threads \
            --enable-sse2    \
            --enable-avx     &&
make

To test the results, issue: make check. On 32-bit systems, the tests can take substantially longer than they would on 64-bit machines.

Now, as the root user:

make install

Now build single precision:

make clean &&

./configure --prefix=/usr    \
            --enable-shared  \
            --enable-threads \
            --enable-sse2    \
            --enable-avx     \
            --enable-float   &&
make

As the root user:

make install

Finally, build long double precision:

make clean &&

./configure --prefix=/usr    \
            --enable-shared  \
            --enable-threads \
            --enable-long-double &&
make

As the root user:

make install

Command Explanations

--enable-shared: Use shared libs instead of static libs.

--enable-threads: This enables libfftw3_threads.so to be compiled. It is used by e.g. the gimp plugin from G'MIC.

--enable-float: This enables building the library that uses single precision floating point arithmetic. It is faster but less precise than the default double precision library. The library will be called libfftw3f.so needed by PulseAudio-13.0.

--enable-long-double: This enables building the library that uses higher precision long-double floating point arithmetic. The library will be called libfftw3l.so.

Contents

Installed Programs: fftw-wisdom and fftw-wisdom-to-conf
Installed Libraries: libfftw3.so, libfftw3_threads.so, libfftw3f.so, libfftw3f_threads.so, libfftw3l.so and libfftw3l_threads.so
Installed Directories: None

Short Descriptions

fftw-wisdom

is a utility to generate FFTW wisdom files, which contain saved information about how to optimally compute (Fourier) transforms of various sizes.

fftw-wisdom-to-conf

is a utility to generate C configuration routines from FFTW wisdom files, where the latter contain saved information about how to optimally compute (Fourier) transforms of various sizes.

libfftw3.so

is the Fast Fourier Transform library

libfftw3_threads.so

is the threaded Fast Fourier Transform library

libfftw3f.so

is the single-precision Fast Fourier Transform library, described as 'float' for historic reasons

libfftw3f_threads.so

is the threaded single-precision Fast Fourier Transform library

libfftw3l.so

is the long double Fast Fourier Transform library

libfftw3l_threads.so

is the threaded long double Fast Fourier Transform library

Last updated on 2020-02-16 18:46:23 -0800

GLib-2.62.4

Introduction to GLib

The GLib package contains low-level libraries useful for providing data structure handling for C, portability wrappers and interfaces for such runtime functionality as an event loop, threads, dynamic loading and an object system.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Additional Downloads

GLib Dependencies

Recommended
Optional

dbus-1.12.16 and bindfs (both may be used in some tests), GDB-9.1 (for bindings), docbook-xml-4.5, docbook-xsl-1.79.2, and GTK-Doc-1.32 (to build API documentation)

Additional Runtime Dependencies

Quoted directly from the INSTALL file: Some of the mimetype-related functionality in GIO requires the update-mime-database and update-desktop-database utilities, which are part of shared-mime-info-1.15 and desktop-file-utils-0.24, respectively. These two utilities are also needed for some tests.

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/glib2

Installation of GLib

If desired, apply the optional patch. In many cases, applications that use this library, either directly or indirectly via other libraries such as GTK+-3.24.13, output numerous warnings when run from the command line. This patch enables the use of an environment variable, GLIB_LOG_LEVEL, that supresses unwanted messages. The value of the variable is a digit that corresponds to:

1 Alert
2 Critical
3 Error
4 Warning
5 Notice

For instance GLIB_LOG_LEVEL=4 will skip output of Warning and Notice messages (and Info/Debug messages if they are turned on). If GLIB_LOG_LEVEL is not defined, normal message output will not be affected.

patch -Np1 -i ../glib-2.62.4-skip_warnings-1.patch

Warning

If upgrading from a previous version of GLib that was built using autotools, and the libtool archives (.la files) were installed, you will need to adjust all installed libtool archives, /usr/lib/libg{io,lib,module,object,thread}-2.0.la, to replace references to the libtool archives for this package with the appropriate linker library flag (-l), -lg{io,lib,module,object,thread}. 600+ files must be modified on a complete gnome desktop.

Alternatively, you can just remove the unneeded .la files with the script at Libtool archive (.la) files.

Apply a security patch to fix a proxy bypass vulnerability:

patch -Np1 -i ../glib-2.62.4-cve_2020_6750_fix-1.patch

Install GLib by running the following commands:

mkdir build &&
cd    build &&

meson --prefix=/usr      \
      -Dman=true         \
      -Dselinux=disabled \
      ..                 &&
ninja

The GLib test suite requires desktop-file-utils for some tests. However, desktop-file-utils requires GLib in order to compile; therefore, you must first install GLib and then run the test suite.

Now, as the root user:

Note

If libxslt-1.1.34 is installed, the following command may indicate several (about 33) errors that start with "Error: no ID for constraint linkend:" when installing the man pages. These are harmless.

ninja install &&

mkdir -p /usr/share/doc/glib-2.62.4 &&
cp -r ../docs/reference/{NEWS,gio,glib,gobject} /usr/share/doc/glib-2.62.4

You should now install desktop-file-utils-0.24 and shared-mime-info-1.15 and proceed to run the test suite.

To test the results, after having installed the package, issue: ninja test.

Command Explanations

-Dman=true: This switch causes the build to create and install the package man pages.

-Dselinux=disabled: This switch disables support for selinux which is not supported in BLFS.

-Ddoc=true: This switch causes the build to create and install the API documentation.

Contents

Installed Programs: gapplication, gdbus, gdbus-codegen, gio, gio-launch-desktop, gio-querymodules, glib-compile-resources, glib-compile-schemas, glib-genmarshal, glib-gettextize, glib-mkenums, gobject-query, gresource, gsettings, gtester, and gtester-report
Installed Libraries: libgio-2.0.so, libglib-2.0.so, libgmodule-2.0.so, libgobject-2.0.so, and libgthread-2.0.so
Installed Directories: /usr/include/gio-unix-2.0, /usr/include/glib-2.0, /usr/lib/glib-2.0, /usr/share/glib-2.0, and /usr/share/gtk-doc/html/{gio,glib,gobject}

Short Descriptions

gapplication

can be used to start applications and to send messages to already-running instances of other applications.

gdbus

is a simple tool used for working with D-Bus objects.

gdbus-codegen

is used to generate code and/or documentation for one or more D-Bus interfaces.

gio

is a utility that makes many GIO features available from the command line.

gio-querymodules

is used to create a giomodule.cache file in the listed directories. This file lists the implemented extension points for each module that has been found.

glib-compile-resources

is used to read the resource description from a file and the files that it references to create a binary resource bundle that is suitable for use with the GResource API.

glib-compile-schemas

is used to compile all the GSettings XML schema files in a directory into a binary file with the name gschemas.compiled that can be used by GSettings.

glib-genmarshal

is a C code marshaller generation utility for GLib closures.

glib-gettextize

is a variant of the gettext internationalization utility.

glib-mkenums

is a C language enum description generation utility.

gobject-query

is a small utility that draws a tree of types.

gresource

offers a simple command line interface to GResource.

gsettings

offers a simple command line interface to GSettings.

gtester

is a test running utility.

gtester-report

is a test report formatting utility.

GLib libraries

contain low-level core libraries for the GIMP Toolkit.

Last updated on 2020-02-15 20:23:35 -0800

GLibmm-2.62.0

Introduction to GLibmm

The GLibmm package is a set of C++ bindings for GLib.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

GLibmm Dependencies

Required

GLib-2.62.4 and libsigc++-2.10.2

Optional

Doxygen-1.8.17, glib-networking-2.62.3 (for tests), GnuTLS-3.6.12 (for tests), and libxslt-1.1.34

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/glibmm

Installation of GLibmm

First, fix the documents directory name:

sed -e '/^libdocdir =/ s/$(book_name)/glibmm-2.62.0/' \
    -i docs/Makefile.in

Install GLibmm by running the following commands:

./configure --prefix=/usr &&
make

To test the results, issue: make check.

Now, as the root user:

make install

Contents

Installed Programs: None
Installed Libraries: libgiomm-2.4.so, libglibmm-2.4.so and libglibmm_generate_extra_defs-2.4.so
Installed Directories: /usr/{include,lib}/g{io,lib}mm-2.4 and /usr/share/{devhelp/books/glibmm-2.4,doc/glibmm-2.62.0}

Short Descriptions

libgiomm-2.4.so

contains the GIO API classes.

libglibmm-2.4.so

contains the GLib API classes.

Last updated on 2020-02-16 18:46:23 -0800

GMime-2.6.23

Introduction to GMime

The GMime package contains a set of utilities for parsing and creating messages using the Multipurpose Internet Mail Extension (MIME) as defined by the applicable RFCs. See the GMime web site for the RFCs resourced. This is useful as it provides an API which adheres to the MIME specification as closely as possible while also providing programmers with an extremely easy to use interface to the API functions.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

GMime Dependencies

Required

GLib-2.62.4 and libgpg-error-1.37

Recommended
Optional

DocBook-utils-0.6.14, GPGME-1.13.1, GTK-Doc-1.32 and Gtk# (requires Mono)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gmime

Installation of GMime

Install GMime by running the following commands:

./configure --prefix=/usr --disable-static &&
make

To test the results, issue: make check.

Now, as the root user:

make install

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

--enable-smime: Use this switch if you have installed GPGME-1.13.1 and wish to enable S/MIME support in GMime.

--enable-gtk-doc: Use this parameter if GTK-Doc is installed and you wish to rebuild and install the API documentation.

Contents

Installed Programs: None
Installed Library: libgmime-2.6.so
Installed Directories: /usr/include/gmime-2.6 and /usr/share/gtk-doc/html/gmime-2.6

Short Descriptions

libgmime-2.6.so

contains API functions used by programs that need to comply to the MIME standards.

Last updated on 2020-02-16 18:46:23 -0800

GMime-3.2.6

Introduction to GMime

The GMime package contains a set of utilities for parsing and creating messages using the Multipurpose Internet Mail Extension (MIME) as defined by the applicable RFCs. See the GMime web site for the RFCs resourced. This is useful as it provides an API which adheres to the MIME specification as closely as possible while also providing programmers with an extremely easy to use interface to the API functions.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

GMime Dependencies

Required

GLib-2.62.4 and libgpg-error-1.37

Recommended
Optional

DocBook-utils-0.6.14, GPGME-1.13.1, GTK-Doc-1.32, Vala-0.46.6, and Gtk# (requires Mono)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gmime

Installation of GMime

Install GMime by running the following commands:

./configure --prefix=/usr --disable-static &&
make

To test the results, issue: make check.

Now, as the root user:

make install

Command Explanations

--disable-static: This switch prevents installation of static versions of the libraries.

--enable-gtk-doc: Use this parameter if GTK-Doc is installed and you wish to rebuild and install the API documentation.

Contents

Installed Programs: None
Installed Library: libgmime-3.0.so
Installed Directories: /usr/include/gmime-3.0 and /usr/share/gtk-doc/html/gmime-3.0

Short Descriptions

libgmime-3.0.so

contains API functions used by programs that need to comply to the MIME standards.

Last updated on 2020-02-16 18:46:23 -0800

gobject-introspection-1.62.0

Introduction to GObject Introspection

The GObject Introspection is used to describe the program APIs and collect them in a uniform, machine readable format.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Required

GLib-2.62.4

Optional

Cairo-1.17.2+f93fc72c03e (required for the tests), Gjs-1.58.5 (to satisfy one test), GTK-Doc-1.32, Mako-1.1.1, and Markdown (to satisfy one test)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gobject-introspection

Installation of GObject Introspection

Install GObject Introspection by running the following commands:

mkdir build &&
cd    build &&

meson --prefix=/usr .. &&
ninja

To test the results, issue: ninja test -k0. One test (test_docwriter) fails if the optional Markdown module is not installed.

Now, as the root user:

ninja install

Command Explanations

-Dgtk_doc=true: Build and install the documentation.

-Dcairo=true: Use cairo for tests.

-Ddoctool=true: Install g-ir-doc-tool and run related tests.

Contents

Installed Program: g-ir-annotation-tool, g-ir-compiler, g-ir-doc-tool, g-ir-inspect, g-ir-generate, and g-ir-scanner
Installed Libraries: libgirepository-1.0.so and _giscanner.cpython-37m-x86_64-linux-gnu.so
Installed Directories: /usr/include/gobject-introspection-1.0, /usr/lib/girepository-1.0, /usr/lib/gobject-introspection, /usr/share/gir-1.0, and /usr/share/gobject-introspection-1.0

Short Descriptions

g-ir-annotation-tool

creates or extracts annotation data from GI typelibs.

g-ir-compiler

converts one or more GIR files into one or more typelib.

g-ir-doc-tool

generates Mallard files that can be viewed with yelp or rendered to HTML with yelp-build from yelp-tools.

g-ir-inspect

is a utility that gives information about a GI typelib.

g-ir-scanner

is a tool which generates GIR XML files by parsing headers and introspecting GObject based libraries.

g-ir-generate

is a GIR generator that uses the repository API.

libgirepository-1.0.so

provides an API to access the typelib metadata.

Last updated on 2020-02-15 20:23:35 -0800

Grantlee-5.2.0

Introduction to grantlee

Grantlee is a set of free software libraries written using the Qt framework. Currently two libraries are shipped with Grantlee: Grantlee Templates and Grantlee TextDocument. The goal of Grantlee Templates is to make it easier for application developers to separate the structure of documents from the data they contain, opening the door for theming.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Grantlee Dependencies

Required

CMake-3.16.4 and Qt-5.14.1

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/grantlee

Installation of Grantlee

Install Grantlee by running the following commands:

mkdir build &&
cd    build &&

cmake -DCMAKE_INSTALL_PREFIX=/usr \
      -DCMAKE_BUILD_TYPE=Release  \
      .. &&
make

This package does not come with a test suite.

Now, as the root user:

make install

Contents

Installed Programs: none
Installed Libraries: libgrantlee_core.so and libgrantlee_gui.so
Installed Directories: /usr/lib/cmake/grantlee, /usr/lib/grantlee/0.4, and /usr/include/grantlee

Last updated on 2020-02-19 16:31:22 -0800

Gsl-2.6

Introduction to Gsl

The GNU Scientific Library (GSL) is a numerical library for C and C++ programmers. It provides a wide range of mathematical routines such as random number generators, special functions and least-squares fitting.

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

Gsl Dependencies

Optional

Sphinx with sphinx_rtd_theme

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/gsl

Installation of Gsl

Install Gsl by running the following commands:

./configure --prefix=/usr --disable-static &&
make

If you have the optional Sphinx package installed, buid the documentation with:

make html

To test the results, issue: make check.

Now, as the root user:

make install

If you built the documentation, install it (as root) with:

mkdir                   /usr/share/doc/gsl-2.6 &&
cp -R doc/_build/html/* /usr/share/doc/gsl-2.6

Command Explanations

--disable-stat