1 |
Michał Górny posted on Wed, 04 Jul 2012 22:38:50 +0200 as excerpted: |
2 |
|
3 |
> On Wed, 4 Jul 2012 20:06:58 +0200 Tobias Klausmann <klausman@g.o> |
4 |
> wrote: |
5 |
> |
6 |
>> On Wed, 04 Jul 2012, Michał Górny wrote: |
7 |
>> > There's a very simple yet custom solution I'm using. Shortly saying: |
8 |
>> > checkout the kernel git to /usr/src/linux and chown to your user. As |
9 |
>> > far as it goes, it's superior to having kernel sources installed by |
10 |
>> > ebuilds. |
11 |
>> > |
12 |
>> > I just have to remember to do 'git fetch' from time to time and 'git |
13 |
>> > merge' whenever a new version is tagged. |
14 |
>> |
15 |
>> It is also beyond the package manager's control. That means users who |
16 |
>> want to just configure their kernel (and run point releases otherwise) |
17 |
>> have to actively check for new tags/versions. |
18 |
> |
19 |
> True. I think that's the direction I should look into improving. |
20 |
> |
21 |
>> Aside from that the git tree is not exactly lightweight: my current 2.6 |
22 |
>> checkout weighs in at 1.4G whereas the unpacked tar is 512M. |
23 |
> |
24 |
> Well, that's the other problem. On the other hand, you usually have to |
25 |
> have that 1G free anyway unless you intend to manually unmerge the |
26 |
> previous *-sources before installing the new one. And the time needed to |
27 |
> do that... git is so much faster. |
28 |
|
29 |
I'll second the git being faster bit. What's especially nice about it is |
30 |
that checking out and building any arbitrary tag (release or rc), or for |
31 |
that matter, doing a bisect down to an individual commit, if you're |
32 |
trying to track down some issue or other, is really easy. [1] |
33 |
|
34 |
But the main reason for this reply is to add this idea: |
35 |
|
36 |
Here, I have my regular user, and I have my admin-hat user. My regular |
37 |
user has sudo locked down quite strictly, with a password required for |
38 |
anything not specific parameter locked, etc. But, the one thing the |
39 |
regular usr CAN do, is sudo (with password) to the admin user. |
40 |
Additionally, my regular user isn't in the portage, wheel, etc, groups |
41 |
either (and polkit is generally locked down for it as well), so it really |
42 |
is quite privilege-locked, EXCEPT that it can sudo to admin. |
43 |
|
44 |
The admin user then has unrestricted passwordless sudo access. Basically |
45 |
root, except that I can type the command unprivileged first, then when |
46 |
for instance the rm gives me the expected permissions error, I can see |
47 |
that it's what I did indeed intend to rm, and arrow-up, home, sudo in |
48 |
front, to actually do it. |
49 |
|
50 |
The admin user is then what I use to git pull and build the kernel, so |
51 |
that's the only user (other than root) with write access to the kernel |
52 |
sources. My normal user doesn't have that access, thus avoiding the |
53 |
normal-user-writable security issue mentioned in your (klausman's) blog. |
54 |
Since that admin user then has unrestricted passwordless sudo, sudoing |
55 |
(from that admin user) to root for the actual install is trivial. |
56 |
|
57 |
|
58 |
Meanwhile, I actually have a set of kernel maintenance helper scripts |
59 |
that I use to update, configure (either oldconfig for the update or just |
60 |
to change something...), build and install the kernel. They're not ready |
61 |
for use by the general public yet, but they're a reasonable start, |
62 |
including a configuration file for most stuff one might want to change |
63 |
(where the kernel dir is located, where the output dir is located so as |
64 |
to keep the sources dir itself clean if so desired, whether to auto- |
65 |
mount /boot for installation, etc). There's even provision for |
66 |
automatically applying patches from a user patches dir! =:^) |
67 |
|
68 |
Since I've been running a git kernel for several years now, the git- |
69 |
kernel scripts are current, but I did start on the scripts back when I |
70 |
was still using tarballs, so there's scripts that automate most of that, |
71 |
as well, tho they're a bit stale now as I've not actually run/tested them |
72 |
in a couple years (but I did try to update them for the 3.0 kernel, etc). |
73 |
|
74 |
If you'd like, I can email them. As I said, they're not really fit for |
75 |
public consumption yet, but it's a reasonable start including a config |
76 |
file, and I use it for maintaining my systems (both x86 and amd64, |
77 |
separate output dirs based on the bash ARCH variable) here, with a |
78 |
maturity and development over several years, so if you're interested in |
79 |
/making/ them fit for public consumption, it'd certainly save quite some |
80 |
days work over starting from scratch. |
81 |
|
82 |
Obviously I'm running/testing the scripts as a gentoo user, but other |
83 |
than perhaps some of the config file comments, there's not a whole lot |
84 |
specific to gentoo about 'em. |
85 |
|
86 |
--- |
87 |
[1] I routinely run live-git kernels, but don't like to run anything |
88 |
before rc1 until some days later, just in case. So when a release comes |
89 |
out, I'll often update a couple days into the new cycle, and then simply |
90 |
checkout and build the release tag. Then sometime after rc1 or rc2, I |
91 |
update again, and test from there. I figure if I need to bisect |
92 |
anything, news of any too drastic data-eating bugs pre-rc1 should be |
93 |
available, and I can then bisect back into the previously blackout period |
94 |
with a bit more confidence. |
95 |
|
96 |
-- |
97 |
Duncan - List replies preferred. No HTML msgs. |
98 |
"Every nonfree program has a lord, a master -- |
99 |
and if you use the program, he is your master." Richard Stallman |