Subversion Repositories svn LFS-FR


Blame | Last modification | View Log | RSS feed

# The Glibc issetugid() patch is no longer used. issetugid() could be preloaded
# from a user-defined library, just like getuid() or getgid(), so issetugid()
# doesn't have any benefit. In BSD, and Solaris, issetugid() is a kernel syscall
# and is safer. In Linux we should use __libc_enable_secure(), which is similar,
# but requires packages to be patched. All packages should be searched for the
# issetugid() function, and modified to use __libc_enable_secure() instead.

# Object directories are used whenever possible, to support building from
# read-only sources. One day this may be usefull, such as building from source
# which were unpacked on to a cdrom, or read-only partition.

# In tools we don't let packages install to /tools/libexec/, for consistancy.

# Avoid installing docs to /tools, since we're not going to use them.

# It would be nice to optionally strip packages as they're installed.

# Bison, Flex, and M4, are needed when using snapshots of GCC (or Binutils).

# Everything in /tools is hardened so that we reboot into a hardened system.

# The --fatal-warnings linker option is used primarily for locating
# DT_TEXTREL, with --warn-shared-textrel, but also causes compiler errors
# when mktemp(3) or tmpnam(3) are used... so we have zero tolerance for these.

# Whatever bug fix patches are normally used in Chap6, we use them in /tools,
# because we're going to reboot /tools.

# When package maintainers offer a GnuPG signature, or md5/sha, file, then
# use that instead of making our own md5sum.

# Don't install anything to /tools/sbin, since only the administrator uses
# /tools there is no need to have another directory for admin applications.