... this causes one big problem for a user who wants to do a GRP or installation without internet connectivity: linux-2.4.24.tar.bz2 is included in the distfiles dir on cd-1, but 2.4.25 is marked stable in the snapshot delivered onto the livecd. We _could_ advise the user to install =vanilla-sources-2.4.24, but 2.4.24 is local exploitable (#42024); so nothing that we should recommend in our handbook. Another option would be to suggest gs-sources, but i dunno if gs-sources-2.4.25_pre7-r* are affected by this exploit. I can't suggest any good solution at this point, one possible option would be to mark installations with 2004.0 media and without internet access as broken ...
It's just an example, not a recommendation. I'm tempted to mark this a WONTFIX or INVALID. Otherwise we'll always have issues (for instance, if an exploit is found in vixie-cron, or syslog-ng, why would we have to alter the instructions because the GRPs we provide are vulnerable?).
Every time they find a new exploit we are not gonna go through all docs and change every reference to the newer versions. Just to find later on that this verion has other exploits.
The exploit isn't the main thing, the main thing is that portage wants to install vanilla-sources-2.4.25, but only 2.4.24 sources are on the cd. Any installation without the possibility of getting linux-2.4.25.tar.bz2 will fail at this point.
This is a release bug that should be listed in the Release Notes errata. I will forward this to the correct people so that it can be added. Sven, do you have any recommedations in the handbook for users to check out the Release Notes if they run into problems before submitting a bug or going to the forums? Beejay - could you add this to the x86 errata please?
Ok, this bug appeared since the grp-sets were created with a snapshot made on Feb. 18th. All .iso-files were created with a newer snapshot - and .25 was marked "x86" in the newer one. So actually .25 wasn't merged into the grp-sets and that's why it is missing now. Will put it into errata.
I'll refer the users to the errata (which should be done anyway), but Tobias is right, we need to use a different example here. Not because of the possible security issues, but because the method just breaks. Perhaps we can use development-sources as an example? We're a bleeding-edge distribution and it's still an example.
> Perhaps we can use development-sources as an example? That's a _little_ problem ;) The only source archive on the x86 universal cd is linux-2.4.24.tar.bz2. That's why i told: =vanilla-sources-2.4.24 or gs-sources ... CC'ing docs-team@g.o
What ?!? */me chokes* None of the other kernel sources is available on the CD? Sigh; I wished someone told me this sooner. I guess the available sources are also depending on the architecture? x86 has vanilla-sources-2.4.24, what about the other architectures?
Created attachment 26878 [details, diff] Patch to hb-install-kernel.xml This patch includes information for network-less installations; the table isn't completely filled in yet so this shouldn't be committed until we know what sources are available for the individual architectures.
Created attachment 26879 [details, diff] Patch to hb-install-bootloader.xml Accompanying patch which changes the kernel versions in the bootloaders to be consistent with the hb-install-kernel example.
Besides the patches looks fine, some remarks: - as of now we only know that x86 is affected - with =vanilla-sources-2.4.24 we introduce a new syntax which hasn't been explained until this point - 2.4.24 is local exploitable _IMHO_ it would be _much_ better to get a fixed x86 universal cd onto the mirrors or mark offline installations as broken.
I second this: :_IMHO_ it would be _much_ better to get a fixed x86 universal cd onto : the mirrors or mark offline installations as broken
I'm not going to wait until someone thinks of fixing this by releasing a new LiveCD. I'm also not happy having a broken/documented method. I'm currently committing the necessary changes to the documentation and reassigning to release@gentoo.org. They should decide on releasing a "fixed" universal LiveCD for x86 or not.
*** Bug 44619 has been marked as a duplicate of this bug. ***
A little research -- here's the script I use to do the install at "chroot" time: env-update source /etc/profile ln -sf /usr/share/zoneinfo/PST8PDT /etc/localtime nano -w /etc/fstab emerge -k gentoo-sources emerge -k genkernel genkernel all emerge -k hotplug rc-update add hotplug default emerge -k sysklogd rc-update add sysklogd default emerge -k vixie-cron rc-update add vixie-cron default rc-update add net.eth0 default rc-update add net.lo default echo DreamTimeGentoo > /etc/hostname nano -w /etc/rc.conf emerge -k grub grub-install /dev/hda7 cp /boot/grub/grub.conf.sample /boot/grub/grub.conf ls -1 /boot >> /boot/grub/grub.conf ln -s /boot/grub/grub.conf /boot/grub/menu.lst nano -w /boot/grub/menu.lst emerge -k vim emerge -k kde rc-update add xdm default etc-update sync;sync;sync # superstition?? exit -------------------------------------------------------------------------------- So, I ran everything up to that point and replaced the "emerge -k" calls with "emerge -kpv" calls to see what needs to be downloaded. Here's the list of the packages that are missing when I do that: emerge -kpv genkernel: These are the packages that I would merge, in order: Calculating dependencies ...done! [binary N ] media-libs/freetype-2.1.5 +bindist +zlib [binary N ] media-libs/jpeg-6b-r3 [binary N ] media-libs/lcms-1.12 +jpeg +python -tiff +zlib [binary N ] media-libs/libmng-1.0.4 [ebuild N ] media-gfx/bootsplash-0.6-r9 507 kB [ebuild N ] sys-kernel/genkernel-3.0.1_rc1 2,037 kB Total size of downloads: 2,545 kB emerge -kpv vanilla-sources: These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild N ] sys-kernel/vanilla-sources-2.4.25 -build 29,908 kB Total size of downloads: 29,908 kB emerge -kpv gentoo-sources: These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild N ] sys-apps/module-init-tools-0.9.15_pre4 344 kB [ebuild N ] sys-kernel/gentoo-sources-2.4.22-r7 -build 32,515 kB Total size of downloads: 32,860 kB emerge -kpv grub: These are the packages that I would merge, in order: Calculating dependencies ...done! [ebuild N ] sys-boot/grub-0.93.20030118 -static 112 kB Total size of downloads: 112 kB -------------------------------------------------------------------------------- Everything else that I need appears to be on the CDs, including KDE and VIM. The plan is to download these (using Debian ... sorry :) and re-run the install. Then I should be at the point where I can "emerge sync" and update everything.
*** Bug 48882 has been marked as a duplicate of this bug. ***
Closing this one since it was related to 2004.0 and should be fixed in the current release.
Moving these so we can remove the "Install CD" component from "Gentoo Linux". I apologize to everyone for this spam, but according to the bugzilla developers, this is the only reasonable way to do this.
