| 1 |
Michał Górny posted on Wed, 04 Jul 2012 22:38:50 +0200 as excerpted: |
| 2 |
|
| 3 |
> On Wed, 4 Jul 2012 20:06:58 +0200 Tobias Klausmann <klausman@g.o> |
| 4 |
> wrote: |
| 5 |
> |
| 6 |
>> On Wed, 04 Jul 2012, Michał Górny wrote: |
| 7 |
>> > There's a very simple yet custom solution I'm using. Shortly saying: |
| 8 |
>> > checkout the kernel git to /usr/src/linux and chown to your user. As |
| 9 |
>> > far as it goes, it's superior to having kernel sources installed by |
| 10 |
>> > ebuilds. |
| 11 |
>> > |
| 12 |
>> > I just have to remember to do 'git fetch' from time to time and 'git |
| 13 |
>> > merge' whenever a new version is tagged. |
| 14 |
>> |
| 15 |
>> It is also beyond the package manager's control. That means users who |
| 16 |
>> want to just configure their kernel (and run point releases otherwise) |
| 17 |
>> have to actively check for new tags/versions. |
| 18 |
> |
| 19 |
> True. I think that's the direction I should look into improving. |
| 20 |
> |
| 21 |
>> Aside from that the git tree is not exactly lightweight: my current 2.6 |
| 22 |
>> checkout weighs in at 1.4G whereas the unpacked tar is 512M. |
| 23 |
> |
| 24 |
> Well, that's the other problem. On the other hand, you usually have to |
| 25 |
> have that 1G free anyway unless you intend to manually unmerge the |
| 26 |
> previous *-sources before installing the new one. And the time needed to |
| 27 |
> do that... git is so much faster. |
| 28 |
|
| 29 |
I'll second the git being faster bit. What's especially nice about it is |
| 30 |
that checking out and building any arbitrary tag (release or rc), or for |
| 31 |
that matter, doing a bisect down to an individual commit, if you're |
| 32 |
trying to track down some issue or other, is really easy. [1] |
| 33 |
|
| 34 |
But the main reason for this reply is to add this idea: |
| 35 |
|
| 36 |
Here, I have my regular user, and I have my admin-hat user. My regular |
| 37 |
user has sudo locked down quite strictly, with a password required for |
| 38 |
anything not specific parameter locked, etc. But, the one thing the |
| 39 |
regular usr CAN do, is sudo (with password) to the admin user. |
| 40 |
Additionally, my regular user isn't in the portage, wheel, etc, groups |
| 41 |
either (and polkit is generally locked down for it as well), so it really |
| 42 |
is quite privilege-locked, EXCEPT that it can sudo to admin. |
| 43 |
|
| 44 |
The admin user then has unrestricted passwordless sudo access. Basically |
| 45 |
root, except that I can type the command unprivileged first, then when |
| 46 |
for instance the rm gives me the expected permissions error, I can see |
| 47 |
that it's what I did indeed intend to rm, and arrow-up, home, sudo in |
| 48 |
front, to actually do it. |
| 49 |
|
| 50 |
The admin user is then what I use to git pull and build the kernel, so |
| 51 |
that's the only user (other than root) with write access to the kernel |
| 52 |
sources. My normal user doesn't have that access, thus avoiding the |
| 53 |
normal-user-writable security issue mentioned in your (klausman's) blog. |
| 54 |
Since that admin user then has unrestricted passwordless sudo, sudoing |
| 55 |
(from that admin user) to root for the actual install is trivial. |
| 56 |
|
| 57 |
|
| 58 |
Meanwhile, I actually have a set of kernel maintenance helper scripts |
| 59 |
that I use to update, configure (either oldconfig for the update or just |
| 60 |
to change something...), build and install the kernel. They're not ready |
| 61 |
for use by the general public yet, but they're a reasonable start, |
| 62 |
including a configuration file for most stuff one might want to change |
| 63 |
(where the kernel dir is located, where the output dir is located so as |
| 64 |
to keep the sources dir itself clean if so desired, whether to auto- |
| 65 |
mount /boot for installation, etc). There's even provision for |
| 66 |
automatically applying patches from a user patches dir! =:^) |
| 67 |
|
| 68 |
Since I've been running a git kernel for several years now, the git- |
| 69 |
kernel scripts are current, but I did start on the scripts back when I |
| 70 |
was still using tarballs, so there's scripts that automate most of that, |
| 71 |
as well, tho they're a bit stale now as I've not actually run/tested them |
| 72 |
in a couple years (but I did try to update them for the 3.0 kernel, etc). |
| 73 |
|
| 74 |
If you'd like, I can email them. As I said, they're not really fit for |
| 75 |
public consumption yet, but it's a reasonable start including a config |
| 76 |
file, and I use it for maintaining my systems (both x86 and amd64, |
| 77 |
separate output dirs based on the bash ARCH variable) here, with a |
| 78 |
maturity and development over several years, so if you're interested in |
| 79 |
/making/ them fit for public consumption, it'd certainly save quite some |
| 80 |
days work over starting from scratch. |
| 81 |
|
| 82 |
Obviously I'm running/testing the scripts as a gentoo user, but other |
| 83 |
than perhaps some of the config file comments, there's not a whole lot |
| 84 |
specific to gentoo about 'em. |
| 85 |
|
| 86 |
--- |
| 87 |
[1] I routinely run live-git kernels, but don't like to run anything |
| 88 |
before rc1 until some days later, just in case. So when a release comes |
| 89 |
out, I'll often update a couple days into the new cycle, and then simply |
| 90 |
checkout and build the release tag. Then sometime after rc1 or rc2, I |
| 91 |
update again, and test from there. I figure if I need to bisect |
| 92 |
anything, news of any too drastic data-eating bugs pre-rc1 should be |
| 93 |
available, and I can then bisect back into the previously blackout period |
| 94 |
with a bit more confidence. |
| 95 |
|
| 96 |
-- |
| 97 |
Duncan - List replies preferred. No HTML msgs. |
| 98 |
"Every nonfree program has a lord, a master -- |
| 99 |
and if you use the program, he is your master." Richard Stallman |
Archives