After 23 years, I am considering abandoning slackware
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
After 23 years, I am considering abandoning slackware
I've been using Slackware since the very first version came out in 1993, and I have about 10 machines currently running. While don't claim to be an expert, I am not timid when it comes to linux either. May be this is the wrong forum to ask, but am looking for some suggestions on what other distributions might be worth checking out. Here are some of my issues with slack:
- There have not been any Slackware updates in 3 years. I had to update some security patches at the insistence of our IT department. I installed these from Slackware-current but they failed due to inconsistent dependencies. So I installed the entire Slackware-current, and now even slackpkg is broke. It fails with "awk: error while loading shared libraries: libsigsegv.so.2: cannot open shared object file: No such file or directory". I can track down these libraries by hand one by one, but it seems to go on and on forever. Its probably easier to wipe out everything and start from scratch.
- Despite years of use, I am still unclear how to automate package updates. I have been using Sbopkg, which syncs with slackbuilds, but slackbuilds does not contain any of the stock packages that come with the default distribution. So for security patches to critical packages, the only place seems to be slackware-current, which turns out may break the entire system due to dependency problems, including slackpkg itself.
- There have not been any Slackware updates in 3 years. I had to update some security patches at the insistence of our IT department. I installed these from Slackware-current but they failed due to inconsistent dependencies.
Bad idea to install packages from -current on top of 14.1... AFAIK security updates will get backported to 14.1... have a look to the ChangeLog here.
If you are missing a security update... message the developers. Installing updates from -current on top of 14.1 must leave your system in a unknown state of stability. -current is far ahead of 14.1.
There have been plenty of updates over the past 2+ years (see the stable changelog and maybe consider signing up for the mailing list or grab the rss url and plug it into your favorite rss reader). While there hasn't been any stable releases in that time, security updates have been continually pumped out. 14.1 has had continual updates since it was released, with the latest one only being released yesterday (security updates for firefox and samba). Are you aware of the patches/ directory on your favorite Slackware mirror? If you are, what did you get from -current that wasn't updated in 14.1? Also, it is never a good idea to grab packages from a different version and try to install it on yours (in your case, getting packages from -current and install them on 14.1). As you found, you run into dependency issues. If the updates you need are not actually in 14.1 and they do exist in -current, it is much better to grab the source directory and compile the package yourself using Pat's SlackBuild.
And if stability is a concern, -current should not be used. While it does tend to be stable, it is not guaranteed to be and there is definitely the possibility of breakage. Production systems should especially steer clear of -current unless you are very familiar with how to fix possible breakages (and you're willing to do it). Now, if slackpkg is broken, then something went wrong with the upgrade. What steps did you follow to upgrade? What is the full error? libsigsegv.so.2 is part of aaa_elflibs and libsigsegv, but it isn't recommended to just blindly upgrade the aaa-elflibs package unless you've been keeping up with -current and a new aaa-elflibs was just released. You could try reinstalling the libsigsegv package, but as you already guessed, depending how what all has been done, you might need to reinstall a lot more to get a properly working system.
Automatic package updates just doesn't occur with Slackware without some work on your end. The closest you can get is using slackpkg for official packages, which will keep you up-to-date with any security updates that Pat releases. If you maintain several 3rd-party packages, it might be worth looking into slackrepo in conjunction with the slackpkg+ plugin, as that will allow you to compile programs from SBo and create a repo that you can then use with slackpkg+. You'll still need to launch slackpkg on each computer to keep it up-to-date, unless you're willing to set up something more automated like using a cron job, but it would probably be best to not completely automate something like that in case an update requires some work on your part (like the semi-recent update of openssh that changed the login defaults for root, which there was a large announcement on the changelog trying to let people know).
And, finally, it probably isn't best to come in here and state your possible intentions to ditch Slackware because of a misunderstanding (especially after 23 years). And without knowing more of what you need a distro to accomplish, it would just be shots in the dark in trying to find you a better distro.
So I installed the entire Slackware-current, and now even slackpkg is broke. It fails with "awk: error while loading shared libraries: libsigsegv.so.2: cannot open shared object file: No such file or directory".
It took me about 5 minutes to determined what you did wrong. You used slackpkg to upgrade 14.1 to -current, and you left aaa_elflibs in the blacklist when you did so.
On another note, I used Slackware since the 90's also, basically from the beginning. I just got tired, I guess, for the contortions to get some things running, so I switched to Arch last year. Arch is also a keep it simple distro, not a hand holder, but as a rolling release, it is always up to date. That, of course, has pros and cons, but the documentation for Arch is legendary and I have found it much more stable than, say, Fedora. So if you wanted an alternative suggestion from a long term Slacker who's switched, there it is. If you wanted to complain about Slackware, then I think the previous suggestions are great.
It took me about 5 minutes to determined what you did wrong. You used slackpkg to upgrade 14.1 to -current, and you left aaa_elflibs in the blacklist when you did so.
I'm glad I asked. I guess I have not been using the /patches directory from the mirrors properly. I'll stick around with Slackware and see if I can somehow automate that process.
I'm glad I asked. I guess I have not been using the /patches directory from the mirrors properly. I'll stick around with Slackware and see if I can somehow automate that process.
When I switched from 14.1 to -current, I backed up my data, made a -current boot USB, let the installer format the partition, and did a fresh install.
I'll stick around with Slackware and see if I can somehow automate that process.
As I mentioned in my initial post, be careful about complete automation as some security patches may have a significant impact on the system. I'll quote Pat's changelog entry below...
Code:
Fri Jan 15 02:29:54 UTC 2016
patches/packages/openssh-7.1p2-x86_64-1_slack14.1.txz: Upgraded.
This update fixes an information leak and a buffer overflow. In particular,
the information leak allows a malicious SSH server to steal the client's
private keys. Thanks to Qualys for reporting this issue.
For more information, see:
https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0777
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0778
*****************************************************************
* IMPORTANT: READ BELOW ABOUT POTENTIALLY INCOMPATIBLE CHANGES *
*****************************************************************
Rather than backport the fix for the information leak (which is the only
hazardous flaw), we have upgraded to the latest OpenSSH. As of version
7.0, OpenSSH has deprecated some older (and presumably less secure)
algorithms, and also (by default) only allows root login by public-key,
hostbased and GSSAPI authentication. Make sure that your keys and
authentication method will allow you to continue accessing your system
after the upgrade.
The release notes for OpenSSH 7.0 list the following incompatible changes
to be aware of:
* Support for the legacy SSH version 1 protocol is disabled by
default at compile time.
* Support for the 1024-bit diffie-hellman-group1-sha1 key exchange
is disabled by default at run-time. It may be re-enabled using
the instructions at http://www.openssh.com/legacy.html
* Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled
by default at run-time. These may be re-enabled using the
instructions at http://www.openssh.com/legacy.html
* Support for the legacy v00 cert format has been removed.
* The default for the sshd_config(5) PermitRootLogin option has
changed from "yes" to "prohibit-password".
* PermitRootLogin=without-password/prohibit-password now bans all
interactive authentication methods, allowing only public-key,
hostbased and GSSAPI authentication (previously it permitted
keyboard-interactive and password-less authentication if those
were enabled).
(* Security fix *)
This is why I would recommend subscribing to the security mailing list or follow one of the rss feeds provided by SBo (links to both are in my above post -- I am just too lazy to repost them here). This way you are notified as soon as patches are released and you can gauge their potential impact before upgrading systems.
If you do want to more fully automate it without blindly upgrading, you could maintain your own internal "mirror" and create a slackpkg script that will check and upgrade their systems based on your local mirror. You can initially clone your favorite 14.1 mirror and then once you see a security advisory posted, you can verify how that package will work with your system. If you don't see any problems, you can add that package to your local mirror and then a scheduled slackpkg script (probably through cron) could update all the local computers you're managing based on that local mirror (I would maintain that mirror manually rather than scheduled rsync updates).
As I mentioned in my initial post, be careful about complete automation as some security patches may have a significant impact on the system.
Indeed. That's one of the many reasons why I prefer and run Slackware. I enjoy reading the changelogs for the stable and -current branches. It is desirable to be informed before you patch your systems. I prefer package management systems that are not automated. It is better to have your hand on the tiller than rely on auto pilot in my opinion.
I'm glad I asked. I guess I have not been using the /patches directory from the mirrors properly. I'll stick around with Slackware and see if I can somehow automate that process.
slapt-get is probably the solution to most of your problems.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.