Thanks, Phil.
I didn't know about the "exclude=" option. I'll try it out.
So that's what you do? You just exclude stuff from Yum or Apt or
whatever package system you use. And then you just have to
wake up every now and then and look around manually for any
updates to the stuff you excluded? Then once you find them, you
install them manually?
It's a solution I suppose, but I was hoping for something that
allowed me to continue to use Yum to find and install updates,
including patching everything and getting loop-AES working.
It's a bit much to ask for I guess, especially since the util-linux
stuff requires specific patches for specific versions of util-linux,
right? So you couldn't just keep updating stuff unless you made
sure both it and the patch file were for the same version, which
makes it hard to automate.
There's gotta be a better way than this. Maybe we can get
the util-linux guys to update their code to allow customization
or user extensions without recompiling their code? That way
you don't need to patch it and recompile it each time. Why
not do that? Same with gnupg. I think gnupg still requires a
patch and recompile, right?
See, when you start excluding packages from automated
updates, you end up with a potentially non-secure system.
Why? Because instead of just being able to run some quick
little script each day to keep your system up to date
automatically, you have to go out and manually search for
updates and install them yourself. That means that all but
the most diligent people will just let it slide and won't update
their kernel, util-linux, and so on. That has potential of
introducing security holes I would imagine. Better to have
everything update automatically... Plus it's a pain in
the butt trying to do things manually.
But you all know this already I'm sure.
Thanks,
- Steve
From: Phil H <philtickle200@xxxxxxxxx>
To: Lohan Knight <lohan_knight@xxxxxxxxxxx>, linux-crypto@xxxxxxxxxxxx
Subject: Re: loop-AES and RPM's in FC5
Date: Mon, 17 Apr 2006 13:12:24 -0700 (PDT)
You might want to add an appropriate exclude line to /etc/yum.conf to
prevent the utils and kernel from getting updated.
I'm not sure if mount, losetup and the other utils are all included in
one package with Fedora (check), but assuming you want to exclude for eg a
package starting with "mount" from being updated then you'd add the
following line to /etc/yum.conf:
exclude=mount*
Not sure if you have to exclude losetup, swapon, swapoff as well -
probably. Find out what packages these belong to and exclude these?
On doing an update, any package starting with "mount" then shouldn't get
touched.
A kernel update might (?) replace your new loop.o driver as well, or at
least would no longer match it, so you should exclude the kernel from
updating as well:
exclude=kernel*
As for rpms - you could build your utils and loop.o driver into rpms
using checkinstall if you want, but it's probbably of no advantage since
you're only ever going to be manually compiling and replacing these anyway.
Lohan Knight <lohan_knight@xxxxxxxxxxx> wrote:
And I'd like to just be able to
say "yum update" and not worry about having it install
something that breaks loop-AES stuff.
I know in the past the docs said to turn off the cryptoloop
driver and disable the loop device driver in the kernel config
settings. Then recompile the kernel. Then patch gnupg with
a patch file. Then compile loop-AES which will copy a new
loop.o to /lib/modules. Then patch util-linux. Then install
ciphers.
I assume the same process would be needed to install it
for FC5.
Problem is, once I patch stuff manually, I'm no longer able
to put those programs under RPM / Yum control. Am I? I
mean won't they just get overwritten once I do an update
("yum update")? So I'd have to somehow remove it from
RPM control first, which I don't know how to do yet. And then
I'd have to manually update the various items (kernel,
util-linux, gnupg, loop-AES) from time to time, which is
undesirable.
So how do you all handle this? Do you just not update your
systems once you've gotten loop-AES working? Or do you
create your own RPM's? I don't know how to go about all
that. It's new to me. I know I have to learn more about Yum
and RPM package management.
Advice?
Thanks,
- Steve
_________________________________________________________________
Don?t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates
starting at 1¢/min.
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar ? get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
