Hi there,

I've installed Slackware and wonder about how to install software and keep it up to date.

1. The Slackware base system contains a lot of software, but it's definately not enough.

I found some websites wich offer Slackware Packages like You cannot post URLs to other sites until you have made at least 1 other post, but how can I trust them? I mean, by installing third parity software for Windows, I get Trojan Horses, Viruses and so forth.


2. How do I keep my sofware base up to date?

2a Apparently, I need to subscribe to slackware-security and whenever a security advisor comes out, I need to download it and install it. Hmmm, that's not very convinient. I try to automate it with this script

cd /usr/src/slackware/patches
wget -nd -N -c You cannot post URLs to other sites until you have made at least 1 other post
upgradepkg *.tgz

Whenever this script has proven to be usable, I'll run it as a daily cron job.

Good idea?


2b How can I keep my third parity packages up to date?

I can't, can I?


3. Ugrading to Slackware 13.

Whenever slackware 13 comes out, I can upgrade it according the some documentation I found on the ftp server.

How do I upgrade third parity packages, then? I need to figure out which of the installed packages are third parity packages and then I need to download them all by hand?


Bash

First Link: http://www.linuxpackages.net/
Second Link: ftp://ftp.slackware.com/pub/slackwar...packages/*.tgz

This forum and the slackware related channels on IRC will help you finding out which package repositories are trustworthy. It will not be easy to find Slackware package repositories with malicious software in them - I have not yet seen such packages. But you can pay safe by using SlackBuild scripts that allow you to easlily build a Slackware package out of a program's source code - you are in full control of building the package.
The http://slackbuilds.org web site hosts a fairly big repository of such SlackBuild scripts.

Eric

Yeah, I would like to hear of malicious Slackware package. It might come with unlisted dependencies and so forth but malicious... I don't think so. Such package would be immediately removed from all the repos where it is kept.


About third party apps. Do all third party apps in Windows update themselves when new version comes. No. Linux development cycle is very different than it is in Windows. You can always access cvs/svn/others repositories to get the bleeding edge source code (that means you could go and update your apps even every day).


Some 3-rd party apps might break and you'll need to recompile them again.

2. How do I keep my sofware base up to date?

Swaret (http://swaret.sourceforge.net/) works well for this. To get it started:

• 'cp /etc/swaret.conf.new /etc/swaret.conf' to get a basic config file
• edit the version line to be 12.0
• 'swaret --update' to get the up-to-date file lists
• 'swaret --upgrade' to upgrade your packages to there most recent versions (ie the .../patches/packages directory on an official mirror)

Minor warning: I think 'swaret --upgrade' may install an updated package even if you don't have the original package installed, but I'm not sure about this (as I have everything installed)

The default swaret.conf file only makes use of official mirros, but you can easily add any repository you want - which swaret can acquire packages from and keep them up to date for you. The two I know of are: http://www.linuxpackages.net/ , http://www.slacky.eu/ . I've never had any problem with packages from any of these sites, and they have enough users that if someone manages to upload a bad package it will most likely be discovered fairly quickly.

Hi friends,

As much as I like the simplicity of Slackware and the filesystem organisation, I have some concerns about the lack of packages and how this is handled with third party sites.



I trust the major Unix distributors, may it be Slackware, the three major BSD distributions or others. They vouch with their name for the whole distribution.

The problem I see so far with Slackware is that I rely on packages created by people I do not know. That's of no concern for you guys?



I was on the swaret site. This project seems neither alive nor dead. The documentation is sparse - not sure what it really has to offer. The problem with my script (see above) is that it doesn't take care of third party software. Due to lack of alternatives, I will probably have to install and use swaret, anyway.


I mean, whenever a new Slackware version comes out, I want to have software packages compiled for this new version of Slackware. This is not how it works on Windows, but this is how it works on most unix distributions.


Actually, this raises another question:

The day Slackware 13 comes out, will there be any third party slackware packages for this new version? I assume it will take some days, weeks or months. Hence, I should wait some time for upgrading to Slackware 13. This looks suboptimal.


Another question:

Are these third parity sites bringing out new packages for newly discovered security holes, or will I be on my own?


Bash

No, it is of no concern to us that you do not know these people. Use the Slackware forum and visit Slackware channels on IRC if you need confirmation. And as I said before, you can build the packages yourself. This is Slackware. You are in control. You do not have to rely on other people to compile your software.

My guess is, you may need to have to go back to Windows to find reassurance. Or better, find the answers to these basic questions of yours first - and then come back for the real questions.

Eric

Hello Eric,

These have been my real questions ;(

Bash

Bottomline is, if you install 3rd party applications on your machine, then you are solely responsible for keeping them up to date.
You come from the Windows world where 3rd party apps may contain trojans and other vile stuff, and I suppose that you should not recklessly install software on a Linux machine either. But IMO the risk is not at all as big as it is in Windows.

Inform yourself about the sites / package builders that can be trusted and where you can obtain good quality packages. If you decide none of them can be trusted, compile your own packages from source. A SlackBuild script is an easy way to build a package (if you trust the writer of the script of course...)

Eric

Yeah, swaret hasn't been updated in awhile, but it still works perfectly fine.

A few good places to with info on package management:

- http://www.slackersbible.org/?q=node/46
- http://www.slackbasics.org/html/chap-pkgmgmt.html
- The sig of the post above this

1. The best way to add 3rd party packages, IMO, is to use slackbuilds and compile the programs yourself. That way you know exactly what your getting. Most of the time, you will be able to find a slackbuild for the program your looking for on SlackBuilds.org.

2a. Automation is not always the best way to do something.

2b. When a new version of a program comes out, you normally only need to change the version number in the SBo slackbuild in order to recompile it (if more is needed, an update to the script is usually already on its way). After that, a simple upgradepkg an your up-to-date.

3. Recompile your programs against the new version of Slack using the slackbuilds.

MagicMan

P.S. If you would rather have someone else do the work for you, it can be difficult as a new Slack user to know what packages can be trusted. I for one only use packages built by either Eric or Rob when I'm to busy to build them for myself (these guys help maintain Slack and know the ins and outs of package recreation quite well). Going this route, however, puts you at the mercy of the packager. You will have to wait until they decide to update a package.

http://www.linuxquestions.org/questi...pdates-607701/

http://www.linuxquestions.org/questi...st-way-613588/

http://www.linuxquestions.org/questi...atches-611567/

http://www.linuxquestions.org/questi...log...-607869/

1st 3 are on topic and within the very first 5 pages of the archives of this very forum. IOW I didn't use the search, I instead just thumbed quickly through pages 1 through 5 (found near the bottom of this forum's web page) that took me two and a half minutes.

4th link above eventually wanders into off topic to do with Perl programming (I know, I participated. BTW I will finish the Perl and post it too).

I've not ever had a prob with any Slack 3rd party pkg, linuxpackages or otherwise.

This is Slackware.

Linux is it's own world.

Slackware tends, somewhat, to be it's own (well, Slack is a distro).

I think that you're unfairly comparing something else from a different world and attempting to compare that something to the goings on that take place in the Slackware world.

Not all things in other worlds even apply to the Slackware world. (not that it can't -- but some things have just not been a prob in Slack).

If you're paranoid, any Slackware package, you can peek inside it and totally inspect its contents prior to installing. I rarely do this sometimes just to see how a package is built -- I've never done it due to mistrust that perhaps the pkg is loaded with Trojan, etc.

Anyways, like, where's your sys and your data backups at anyways just in case of huge power flicker or big surge that severely corrupts data on your hard drive. Lightning storm, etc.

Such backups *also* may be used in the case of breakin and/or trojan, etc.

--
Alan.

The main issue with installing willy-nilly is conflicting libs , etc. You might want one module to load, but get another, and so on. (Happens to me rather often. qemu helps a whole bunch. But that's a whole other ball o' wax)

You have choices, Bash Rules

1. Don't get ANY 3rd party software. (Personally, I think this is unreasonable)
2. Research whatever packages that you are interested in on irc, or some other discussion area. See how often they are updated. Write scripts, etc.
3. Compile/package the thing yourself (My personal favorite). "Use the source, Luke!" used to be a big saying in Linux.

As far as using any "auto-magic-update" program to update your Slackware base install, first do a quick search of this forum for "break" and "update"Amazing how many times that swaret or its cousins are involved. BUT, having said that, it's your system. Use what you wish. I just have a queezy feeling anytime I let my system out of my hands.

And that is the REAL bottom line. It's your system, use it, update it, change it, break it even, any way you wish. It's yours. There's no Bill Gates sitting here saying "YOU CAN'T DO THAT!!!". As a matter of fact, the Slackware community says "You CAN do that. "

I have complete confidence in the packages that Eric and Robby make for us; I trust them.
Slackware is a success because we have developers who are dedicated to their work. I greatly appreciate their work:-) Thanks, guys!

I guess I'd better cop to the making of a mistake here.

I suppose binary components could be inside such pkg whereby could not see inside such components (cannot *totally* inspect).

Well, if you're really paranoid then just build all of your own 3rd party pkgs it's easy to do so on Slack (I build most of mine). ***Source code cannot contain anything hidden***

Compile your own binarys -- you are totally in control -- *you* *know* what got put into those binaries.

--
Alan.