Bugzilla Bug 43726

... this causes one big problem for a user who wants to do a GRP or
installation without internet connectivity:
linux-2.4.24.tar.bz2 is included in the distfiles dir on cd-1, but 2.4.25 is
marked stable in the snapshot delivered onto the livecd. We _could_ advise the
user to install =vanilla-sources-2.4.24, but 2.4.24 is local exploitable
(#42024); so nothing that we should recommend in our handbook. Another option
would be to suggest gs-sources, but i dunno if gs-sources-2.4.25_pre7-r* are
affected by this exploit.

I can't suggest any good solution at this point, one possible option would be
to mark installations with 2004.0 media and without internet access as broken
...

It's just an example, not a recommendation. I'm tempted to mark this a WONTFIX
or INVALID. Otherwise we'll always have issues (for instance, if an exploit is
found in vixie-cron, or syslog-ng, why would we have to alter the instructions
because the GRPs we provide are vulnerable?).

Every time they find a new exploit we are not gonna go through all docs and
change every reference to the newer versions. Just to find later on that this
verion has other exploits.

The exploit isn't the main thing, the main thing is that portage wants to
install vanilla-sources-2.4.25, but only 2.4.24 sources are on the cd. Any
installation without the possibility of getting linux-2.4.25.tar.bz2 will fail
at this point.

This is a release bug that should be listed in the Release Notes errata. I will
forward this to the correct people so that it can be added. Sven, do you have
any recommedations in the handbook for users to check out the Release Notes if
they run into problems before submitting a bug or going to the forums?

Beejay - could you add this to the x86 errata please? 

Ok, this bug appeared since the grp-sets were created with a snapshot made on
Feb. 18th. All .iso-files were created with a newer snapshot - and .25 was
marked "x86" in the newer one. So actually .25 wasn't merged into the grp-sets
and that's why it is missing now. Will put it into errata.

I'll refer the users to the errata (which should be done anyway), but Tobias is
right, we need to use a different example here. Not because of the possible
security issues, but because the method just breaks.

Perhaps we can use development-sources as an example? We're a bleeding-edge
distribution and it's still an example.

> Perhaps we can use development-sources as an example?

That's a _little_ problem ;) The only source archive on the x86 universal cd is linux-2.4.24.tar.bz2. That's why i told: =vanilla-sources-2.4.24 or gs-sources ...

CC'ing docs-team@g.o

What ?!? */me chokes*

None of the other kernel sources is available on the CD? 

Sigh; I wished someone told me this sooner. I guess the available sources are also depending on the architecture? x86 has vanilla-sources-2.4.24, what about the other architectures?

Created an attachment (id=26878) [details]
Patch to hb-install-kernel.xml

This patch includes information for network-less installations; the table isn't
completely filled in yet so this shouldn't be committed until we know what
sources are available for the individual architectures.

Created an attachment (id=26879) [details]
Patch to hb-install-bootloader.xml

Accompanying patch which changes the kernel versions in the bootloaders to be
consistent with the hb-install-kernel example.

Besides the patches looks fine, some remarks:
- as of now we only know that x86 is affected
- with =vanilla-sources-2.4.24 we introduce a new syntax which hasn't been explained until this point
- 2.4.24 is local exploitable

_IMHO_ it would be _much_ better to get a fixed x86 universal cd onto the mirrors or mark offline installations as broken.

I second this:

:_IMHO_ it would be _much_ better to get a fixed x86 universal cd onto
: the mirrors or mark offline installations as broken

I'm not going to wait until someone thinks of fixing this by releasing a new
LiveCD. I'm also not happy having a broken/documented method.

I'm currently committing the necessary changes to the documentation and
reassigning to release@gentoo.org. They should decide on releasing a "fixed"
universal LiveCD for x86 or not.

*** Bug 44619 has been marked as a duplicate of this bug. ***

A little research -- here's the script I use to do the install at "chroot"
time:

env-update
source /etc/profile
ln -sf /usr/share/zoneinfo/PST8PDT /etc/localtime
nano -w /etc/fstab
emerge -k gentoo-sources
emerge -k genkernel
genkernel all
emerge -k hotplug
rc-update add hotplug default
emerge -k sysklogd
rc-update add sysklogd default
emerge -k vixie-cron
rc-update add vixie-cron default
rc-update add net.eth0 default
rc-update add net.lo default
echo DreamTimeGentoo > /etc/hostname
nano -w /etc/rc.conf
emerge -k grub
grub-install /dev/hda7
cp /boot/grub/grub.conf.sample /boot/grub/grub.conf
ls -1 /boot >> /boot/grub/grub.conf
ln -s /boot/grub/grub.conf /boot/grub/menu.lst
nano -w /boot/grub/menu.lst
emerge -k vim
emerge -k kde
rc-update add xdm default
etc-update
sync;sync;sync # superstition??
exit
--------------------------------------------------------------------------------

So, I ran everything up to that point and replaced the "emerge -k" calls with
"emerge -kpv" calls to see what needs to be downloaded. Here's the list of the
packages that are missing when I do that:

emerge -kpv genkernel:
These are the packages that I would merge, in order:

Calculating dependencies    ...done!
[binary  N    ] media-libs/freetype-2.1.5  +bindist +zlib  
[binary  N    ] media-libs/jpeg-6b-r3   
[binary  N    ] media-libs/lcms-1.12  +jpeg +python -tiff +zlib  
[binary  N    ] media-libs/libmng-1.0.4   
[ebuild  N    ] media-gfx/bootsplash-0.6-r9   507 kB 
[ebuild  N    ] sys-kernel/genkernel-3.0.1_rc1   2,037 kB 

Total size of downloads: 2,545 kB


emerge -kpv vanilla-sources:
These are the packages that I would merge, in order:

Calculating dependencies    ...done!
[ebuild  N    ] sys-kernel/vanilla-sources-2.4.25  -build  29,908 kB 

Total size of downloads: 29,908 kB


emerge -kpv gentoo-sources:
These are the packages that I would merge, in order:

Calculating dependencies    ...done!
[ebuild  N    ] sys-apps/module-init-tools-0.9.15_pre4   344 kB 
[ebuild  N    ] sys-kernel/gentoo-sources-2.4.22-r7  -build  32,515 kB 

Total size of downloads: 32,860 kB


emerge -kpv grub:
These are the packages that I would merge, in order:

Calculating dependencies    ...done!
[ebuild  N    ] sys-boot/grub-0.93.20030118  -static  112 kB 

Total size of downloads: 112 kB
--------------------------------------------------------------------------------
Everything else that I need appears to be on the CDs, including KDE and VIM.
The plan is to download these (using Debian ... sorry :) and re-run the
install. Then I should be at the point where I can "emerge sync" and update
everything.

*** Bug 48882 has been marked as a duplicate of this bug. ***

Closing this one since it was related to 2004.0 and should be fixed in the
current release.

Moving these so we can remove the "Install CD" component from "Gentoo Linux".

I apologize to everyone for this spam, but according to the bugzilla developers,
this is the only reasonable way to do this.