- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
introduction/important/building-notes.xml
rbf5fb94 rdddebae7 10 10 11 11 <sect1info> 12 <othername>$LastChangedBy$</othername>13 12 <date>$Date$</date> 14 13 </sect1info> … … 92 91 93 92 <sect2> 94 <title>Verifying File Integrity Using 'md5sum'</title>95 96 <para>Generally, to verify that the downloaded file is genuine andcomplete,93 <title>Verifying File Integrity</title> 94 95 <para>Generally, to verify that the downloaded file is complete, 97 96 many package maintainers also distribute md5sums of the files. To verify the 98 97 md5sum of the downloaded files, download both the file and the … … 112 111 113 112 <screen><userinput>md5sum <replaceable><name_of_downloaded_file></replaceable></userinput></screen> 113 114 <para>MD5 is not cryptographically secure, so the md5sums are only 115 provided for detecting random errors or truncations introduced during 116 network transfer. There is no <quote>100%</quote> secure way to make 117 sure the genuity of the source files. Assuming the upstream is managing 118 their website correctly (the private key is not leaked and the domain is 119 not hijacked), and the trust anchors have been set up correctly using 120 <xref linkend="make-ca"/> on the BLFS system, we can reasonably trust 121 download URLs to the upstream official website 122 <emphasis role="bold">with https protocol</emphasis>. Note that 123 BLFS book itself is published on a website with https, so you should 124 already have some confidence in https protocol or you wouldn't trust the 125 book content.</para> 126 127 <para>If the package is downloaded from an unofficial location (for 128 example a local mirror), checksums generated by cryptographically secure 129 digest algorithms (for example SHA256) can be used to verify the 130 genuity of the package. Download the checksum file from the upstream 131 <emphasis role="bold">official</emphasis> website (or somewhere 132 <emphasis role="bold">you can trust</emphasis>) and compare the 133 checksum of the package from unoffical location with it. For example, 134 SHA256 checksum can be checked with the command:</para> 135 136 <note> 137 <para>If the checksum and the package are downloaded from the same 138 untrusted location, you won't gain security enhancement by verifying 139 the package with the checksum. The attacker can fake the checksum as 140 well as compromising the package itself.</para> 141 </note> 142 143 <screen><userinput>sha256sum -c <replaceable>file</replaceable>.sha256sum</userinput></screen> 144 145 <para>If <xref linkend="gnupg2"/> is installed, you can also verify the 146 genuity of the package with a GPG signature. Import the upstream GPG 147 public key with:</para> 148 149 <screen><userinput>gpg --recv-key <replaceable>keyID</replaceable></userinput></screen> 150 151 <para><replaceable>keyID</replaceable> should be replaced with the key ID 152 from somewhere <emphasis role="bold">you can trust</emphasis> (for 153 example, copy it from the upstream official website using https). Now 154 you can verify the signature with:</para> 155 156 <screen><userinput>gpg --recv-key <replaceable>file</replaceable>.sig <replaceable>file</replaceable></userinput></screen> 157 158 <para>The advantage of <application>GnuPG</application> signature is, 159 once you imported a public key which can be trusted, you can download 160 both the package and its signature from the same unofficial location and 161 verify them with the public key. So you won't need to connect to the 162 official upstream website to retrieve a checksum for each new release. 163 You only need to update the public key if it's expired or revoked. 164 </para> 114 165 115 166 </sect2> … … 406 457 <title>Stripping One More Time</title> 407 458 459 <warning> 460 <para>If you did not strip programs and libraries in LFS, 461 the following will probably make your system unusable. To avoid that, 462 run the instructions at <ulink url="&lfs-root;/chapter08/strippingagain.html"/> 463 instead. After the critical files are stripped using those instructions, 464 the instructions below can be run any time new packages are installed. 465 </para> 466 </warning> 467 408 468 <para> 409 469 In LFS, stripping of debugging symbols was discussed a couple of … … 414 474 </para> 415 475 416 <screen><userinput>find / {,usr/}{bin,lib,sbin} \476 <screen><userinput>find /usr/{bin,lib,sbin} \ 417 477 -type f \( -name \*.so* -a ! -name \*dbg \) \ 418 478 -exec strip --strip-unneeded {} \;</userinput></screen> … … 615 675 </listitem> 616 676 <listitem> 617 <para>debug : '-g'</para> 677 <para>debug : '-g' - this is the default if nothing is specified 678 in either <filename>meson.build</filename> or the command line. 679 However it results large and slow binaries, so we should override 680 it in BLFS.</para> 618 681 </listitem> 619 682 <listitem> 620 <para>debugoptimized : '-O2 -g' - this is the default if nothing is621 specified, it leaves assertions enabled.</para>683 <para>debugoptimized : '-O2 -g' : this is the default specified in 684 <filename>meson.build</filename> of some packages.</para> 622 685 </listitem> 623 686 <listitem> … … 699 762 replace the package's defaults, or even be ignored. There are details 700 763 on some desktop packages which were mostly current in April 2019 at 701 <ulink url="http ://www.linuxfromscratch.org/~ken/tuning/"/> - in764 <ulink url="https://www.linuxfromscratch.org/~ken/tuning/"/> - in 702 765 particular, README.txt, tuning-1-packages-and-notes.txt, and 703 766 tuning-notes-2B.txt. The particular thing to remember is that if you
Note:
See TracChangeset
for help on using the changeset viewer.