Security update and hardware: To Slackware or not to Slackware...
 

I'm strongly considering switching my home desktop PC over to Slackware and could do with some advice to make sure that I know what I'm getting in to.

Background
My first experiments with linux some years ago were with "Vector Linux" (a Slackware derivative) which I chose at the time because it is aimed at older hardware and came on a single CD (I was on dial-up at the time.) Vector served me very well for the educational experience until I trashed my system (a nasty accident with a shell script run as root, containing something a bit like "rm -Rf /", you don't want to know... although perhaps that was the most important lesson!)

After that I went through the "Linux from Scratch" book and learned a great deal more. I ran the resulting BLFS system for a couple of years without any problems and really got to know what was going on. I then came to upgrade my PC and no longer had the time or the inclination to go through the "from scratch" process all over again. I installed a flavour of ubuntu about a year ago and enjoyed it for a while. It certainly did what I needed; it gave me a working system without installing every linux program under the sun but also allowed me to install a wide range of extra packages so that I could get on with work that I needed my PC for.

Over time, however, I've fallen a little out of love with ubuntu. My general approach to running my system is "if it ain't broke don't fix it." I spend the time tweaking ubuntu to make the system more like I want it and then an upgrade comes out and I have to start again. The first upgrade I did was remarkably easy but since then they have appeared less and less robust, suffering from glitches preventing various things from working properly without intervention. I've started to feel that lack of control inherent in using such a distribution. I haven't even upgraded to the 7.10 version because ubuntu appears to be going in a direction that isn't compatible with what I want out of *my* desktop.

So, to slackware. Every time I have distribution woes, slackware seems to catch my eye. Simple things like the BSD style init scripts appeal, the reputation for stability and control too. All this sounds like sound reasoning for experimenting with slackware in the near future.

Questions start here...
After this long background essay, the questions I have are actually relatively simple:
1) Once the system is installed from whatever CD/DVD method I choose, do I then need to install the packages from the "patches" section of the ftp site in order to get up to date with security issues? If I choose not to install one of the extra package managers will subscribing myself to the security mailing list (and acting on the advice) be sufficient to keep me out of trouble?

2) I'm likely to compile my own kernel in order to get the rt2500 wifi module to work. To get the nvidia driver to work, do I just follow the steps on nvidia's website or is there are more slackware oriented way to do it?

My personal choice for keeping my Slackware systems patched is slackpkg, which is in the extras directory of Slackware. If you point it at the stable branch (NOT current), and run it when needed, it works well.

I highly recommend Slackware. Like you I've run a number of distros over the years, but, I always come home to my favourite.
I've just finished a week long experiment running Debian Lenny on my main work station. There's nothing wrong with Debian, I do have one Debian 4.0r1 box at home. But, it isn't Slackware. I'm currently re-installing Slack 12 on my main work station.
It is good to be home:-)

While updating packages with security fixes is good practice in general, I really find it to be unecessary actually.. Usually hiding behind a router is sufficient enough to keep you out of trouble security wise. That and keeping as many services off as possible. I haven't installed a firewall or ran updates on windows for 3 years or more without incident. On linux, your 100 times less likely for anything to happen than you are on Windows. Not interested a debate about my above statements just incase anyone is thinking about it... ;) That's just my preference.

I typically just do a fresh install of a newly released Slackware when it comes out and that's it. I don't even upgrade the stock kernel anymore unless I need some extra support that the stock one doesn't have.

Up to you. But yea. Keep an eye on the Security Updates yourself and 'upgradepkg' when necessary. And their are automated proceedures as mentioned above but I've seen those cause a world of trouble in the past. I'd prefer a hand-on approach personally.

I think most people arrive at a crossroads where you are now and Slackware or one of the 3 major BSD's is where you'll end up for good. Nvidia driver should install without incident. Just download the .run file from their web site and run it at the init3 command prompt before you 'startx'. Change your driver line in xorg.conf and that's that. I think the nvidia install process will even do it for you if you want.

I'm just finishing up patching my shiny new install of Slackware 12.0; I just finished downloading all of the security patches that are available that I want from the friendly Utah Slackware mirror ( they have kicking download speeds).
Then all you need to do to install all of them at once is issue one command at a root shell prompt:

#upgradepkg *.tgz

And that is it:-) My Slack box is happily chugging away now upgrading all security patches:-)

I had a strange dream last night and through it I came to the realization that if you want a stable system you must NOT upgrade everything, only in the case of security issues and never something major. It makes sense. Now I understand why Slackware is so stable and secure. This I think is a major thing that separates Slackware from other distros. For example, Ubuntu, Gentoo, FC, and many other mainstream distros upgrade things as soon as they come out, and later they realize that one thing breaks another and yet another breaks another, and then the system goes down. Debian is an exception, along with a few others in that they don't quite rush to be at the bleeding edge. So, that's also a reasonable choice. But, Slackware helps you learn Linux a lot better than other distros, and the BSD-style init scripts make it very easy to understand what happens in part of the boot-up process and to customize it. I personally don't like package managers with dependency management, because they cause more problems than they solve (at least from my experience). However, you could use slapt-get if you want a better package manager.

Security-wise, remember to install updates when they come out, get an 'rc.firewall' script up and running, add a user other than root and don't run dangerous things as root, and disable processes that don't need to be up and are using or listening on external ports. That's pretty much what I do, and I haven't been haxxored yet. There's also rkhunter to check for rootkits.

Good advice. May I also add that installing a file integrity checking system like Aide or Samhain allows you to figure out what has been compromised if the worst does occur.

Good advice, H_TeXMeX_H:-)
Just finished setting up my new Slackware system. I also downloaded rkhunter 1.3.0 from Sourceforge.net. Scanned my system, all clean.

Works for me. That, and the fact that Slacks defaults are far
more sane than those of any of the "friendly" distros.

Perfectly sane, works a treat. Use Pat's .config for the
generic kernel as the base, and then happily chip away on
it 'til you have what suits you best :}



Cheers,
Tink

That attitude is the first step on the way to being
rooted... How is your router/firewall going to stop
an exploit in firefox? Or if you happen to run any
service like smtp or http open to the great unwashed,
will your router do deep packet inspection, and protect
you from Layer-7 attacks?

And feel free not to discuss this, but I think that readers
need to be warned, and am most happy to ignore your lack of
interest in a discussion, and post my view on the matter anyway.



Cheers,
Tink

Yes, security should always be a multi-layered approach from networks, applications, system, and most importantly the user.

Sure Slackware is definitely more stable and secure than most other distros by default, "but you are only as strong your weakest link" (usually that seems to be the user).

I think joining the security mailing list is a good idea. Even if you don't use (or have installed) the software that is patched you at least have an idea of what's going on. Bookmark the server of your choice because ftp.slackware is usually slow.

I keep all my packages separated by Slackbuilds, OfficialSlackPackages, etc. When I need to install or upgrade a system I can just use them straight up.

Ofcourse it was. ;)

4 years of running as root 24/7 and nothing so far.

That is one thing I religiously update. I run my own gnome build and firefox is included in the line up. I'm quicker to update than Pat is.

Might I suggest you install f-prot antivirus on your system as well?

Yes, I agree. Users should be warned. Yes, I'm being stupid by running as root. Yes, I'm complacent with security updates. But If someone finds a way to exploit me because of an old png version then so be it. Chances of that happening are slim indeed. In 6 to 8 months I'll be caught up because of the new Slackware version that I install.

So do I now have permission to forward all the spam I get to you? Crackers live for computers like yours. Old, unpatched security holes make for easier pickings.

That and $10 will get you a cup of Starbucks.

Nvidia is dang easy.

1. Get the source from nvidia
2. Run 'xorgsetup' as root. That will get you a bare bones x setup going
3. Make sure the kernel sources are installed (If using the huge kernel from the install, make sure that the smp kernel source is installed
4. Backup your /etc/X11/xorg.conf just in case
5. Run the Nvidia installer as root or su to root at a cli, no xwidows server running
6. Answer 'no' to the question about 'Do you want a module downloaded'
7. Run xwindows

Looks long and hard, but it is VERY easy.

There's alot more detail in my DRI link in my sig.

Sarcasm?:)
Well, my box is as secure as I can make it with all of the latest security patches. I run my unit as a regular user. I try to practice safe surfing:-)
I love Slackware.:cool:

I have used Slackware maybe a decade ago (after bsd and RH). Then I went through a lot of other distributions until I stopped on Debian (I have tried suse,fedora,buntu but no thanks). Yes, Debian is not Slackware... but as you are using both, could you tell me quickly what are the technical things you don't like in Debian?
Due to personal constraints, I don't think I have the time to go back to recompiling the world so I will probably not go back to Slackware but I'm just curious.
I guess this is the best sub-forum to ask, in Debian I already know the answers I would get.

Thanks for the reply, nx5000:-) It is good to meet another Debian user here. I do have one Debian Etch box at home that I may be upgrading to Lenny( I haven't decided yet). I also run 9 Etch boxes at work.
Technically there is nothing that I dislike about Debian, it has a robust package-management system and is secure by default. This suits me very well as I am a security/stability junky and love Slack, Debian, and FreeBSD.
I guess the one draw back for me about Debian is that the distro is very slow to adopt newer software(a philosophical choice). I do realize that I can get a lot of the newer stuff in Sid, but I'm not willing to give up stability to get newer, secure software.
For example, on my old Lenny box (that I formatted yesterday) Fire Fox was at version 2.0.0.8 and Thunderbird was at 1.5x. I prefer to run a newer, more secure browser and e-mail client; Slackware recently released FF 2.0.0.11 and offers Thunderbird 2.0.0.9(in security updates).
My intention is not to offend my friends in the Debian forum as Debian is a first rate distro and I continue to avidly use it.
I always come home though to Slackware as my first choice for my favourite *nix. I'm running two fully-patched Slackware 12.0 boxes at home:-)

Nah, I get enough spam as it is. Thanks tho.. ;) I also block all images in thunderbird and gmail so you can if you want I suppose.

I do use stop gap measures to counter my not updating anything. It's not like I'm completely oblivious to sane security practices. Believe it or not, I along with 3 others, manage over 300 computers at the Human Ecology Dept of OSU. Mixed Win/Mac environment. That probably has a bearing on why I choose not to do it at home. I have too many things to do when I get home besides continuing to work.

That went over my head. I only spend 3.95 plus a buck tip when I hit Starbucks, but I'm sure that was clever.

I'm certainly not suggesting anyone run as root all the time or even implying that it would probably be ok just because of my expierence with doing it. This computer is nothing but a development box and it doesn't make alot of sense for me to be constantly using sudo/su all the time. I am a bigger threat to my system than anyone else is by running as root. Statistically speaking, that's fact.

As a french proverb say:
Only stupid people never change their mind. It's been since several days I wanted to posted this question, too bad I choose you ;)
If there is a big delay between a package in Unstable and a package in Slackware (dunno slacks new terminology) then yes, you can say that Debian is long to package stuffs.
As you're often hanging around in Debian, you won't discover anything from my answers:
A package can not enter directly in testing. It needs at least 10 days (unless it's priority high==security).. Because newer things are considered untested (from a debian point of view) and then unstable by default. Debian state does not rely on the upstream state: a stable upstream will start unstable in debian.
Also packages which do not work on 11 architectures will not go to testing. Annoying for me (in this only case, I grab it from Unstable), good for people running Dinosaurs..
FF 2.0.0.11 entered mmmhh yesterday :)
Fine, I'm not offended. I just realize that you always come back to your first love ; that's the only argument I see at the moment. Or maybe philosophical with respect to debian process (unstable, stable,..) which is not what I'm curious about.

I don't want to hijack the thread and get stabbed by slackers, I go back to my cave :D
++

Why would you have to "recompile the world"? I imagine you could just install most of the software as a binary package. Do you install everything from source on Debian?

I had the feeling people using Slackware were mostly recompiling everything..
Like these crazy gentooists :)

Only two days after Slack. Not bad.



Cheers,
Tink

Time to redraw the icon and apply a sed script to change the name FF->Iceweasel

At least I'm using a free software ;) :D :D

Actually it was accepted in unstable on the 2nd but it was packaged on the 1st :)

As with Debian you can compile stuff if you wish in Slackware. I compile some programs from source that I need in Slackware. But, you don't need to compile programs in Slackware if you don't want to.
Good talking to you, man:-)

I always check my knife before I enter the LQ forums:-) Yes, there is no technical reason for me to choose Slackware over Debian. It is all good, that is why I use both of them:-)

later,

hitest:)

Heh, no I am not one of those people that feel that in order for me to get the most out of my hardware I have to be compiling something 24-7! ;) Maybe some of those people should donate some of their CPU time instead to medical research. :)

As many Slackers do, I do compile quite a lot of my own software, but I almost never compile anything that is available as an official package. Plus, if I need to setup another machine I just use the packages I have already made; I don't recompile (the world) them again.

This is definitely more selective and intelligent than recompiling half (or even a whole) system just for a few new packages (and their supposed missing/outdated/"too new" dependencies).

And it was publicly available for Slack 10.2, 11, 12 and current on the 1st :}

10.2 was released in 2005.



Cheers,
Tink

I agree. I think the word 'recompiling' should be changed to 'compiling' in order for nx5000's statement to be true, because I don't re-compile ... almost ever ... I mean it's quite rare. I compile once and save the package for later.

@ nx5000

I think you're incorrectly grouping Slackware with Gentoo ... no, no, they are very different, and I can see that you have never tried either one (or maybe only Gentoo, but I doubt it).

Besides, how can you learn without doing ? If all you know is apt-get, what do you do when a package isn't in the repo ? You don't use it ? What about when there's something wrong with the kernel on a particular machine, what do you do ? Do you try to compile your own ? Can you ? Would you ?

* readies machete 1d12 *

Wow so many replies! Were you bored among slackers or what? :)
Sorry Vrajgh..

I won't surrender.
On the 1st of december debian packaged iceweasel for
sparc
powerpc
mipsel
ia64
hppa
i386
amd64
alpha

8 points :)

Not bad. That's an argument.

Yes it looks like I had some prejudices ;) about people using slackware.
And no, as I said, the first linux distribution that crossed my PC was the first one I got as a CD, ~10 years ago.
It was the jungle on my PC :) At the time I was using rpms and sometimes recompiling.

Never happens :D
We've got the biggest..
...repository :)
Actually some games I do and I'm also maintainer of some packages.
My video driver lacks one byte of c code that is not integrated in testing and without this byte, kernel lockup sometimes. So this is currently my only recompiled stuff that I use everyday.
lol take care with your machete.
Yes I can but I compile it the debian way :)
I'm not really in IT so I don't have much experience with a lot of hardware. But I do have my own kernel, which is at the minimum 0.001% faster than the default one. At least, it's smaller.

At least I can say that the welcome is good in slackware forum.
Thanks for the replies!

Well, as the OP I ought to jump into the discussion and thank everyone for the replies that were directly relevant to me and for everyone else on their asides. It's always interesting to see where discussions lead and what different people think! :) I


As for me, when I get around to it I'll have a play with Slackware. My system isn't actually broken at the moment so it might take me a while to build up the motivation! The posts on this thread have given me some idea of what I'll need to do post install and I'm in the process of looking through my configs to find any obscure tweaks in my current config that I might have to copy in the next install.

I'll probably continue the wanderings from distro to distro that everyone does. Oddly though, I tend to stick with the same distro for at least a year before moving on. I read a lot of newbie threads about people who've tried out half a dozen within the first month or two. That sounds too much like hard work for me!