Beyond Linux® From Scratch

Version 7.6

The BLFS Development Team

Copyright © 2001-2014, The BLFS Development Team

All rights reserved.

This book is licensed under a Creative Commons License.

Computer instructions may be extracted from the book under the MIT License.

Linux® is a registered trademark of Linus Torvalds.


Revision History
Revision 7.6 2014-09-23 Tenth Release
Revision 7.5 2014-03-05 Ninth release
Revision 7.4 2013-09-14 Eighth release
Revision 6.3 2008-08-24 Seventh release
Revision 6.2.0 2007-02-14 Sixth release
Revision 6.1 2005-08-14 Fifth release
Revision 6.0 2005-04-02 Fourth release
Revision 5.1 2004-06-05 Third release
Revision 5.0 2003-11-06 Second release
Revision 1.0 2003-04-25 First release


This book follows on from the Linux From Scratch book. It introduces and guides the reader through additions to the system including networking, graphical interfaces, sound support, and printer and scanner support.


This book is dedicated to the LFS community

Table of Contents


Having helped out with Linux From Scratch for a short time, I noticed that we were getting many queries as to how to do things beyond the base LFS system. At the time, the only assistance specifically offered relating to LFS were the LFS hints ( Most of the LFS hints are extremely good and well written but I (and others) could still see a need for more comprehensive help to go Beyond LFS - hence BLFS.

BLFS aims to be more than the LFS-hints converted to XML although much of our work is based around the hints and indeed some authors write both hints and the relevant BLFS sections. We hope that we can provide you with enough information to not only manage to build your system up to what you want, whether it be a web server or a multimedia desktop system, but also that you will learn a lot about system configuration as you go.

Thanks as ever go to everyone in the LFS/BLFS community; especially those who have contributed instructions, written text, answered questions and generally shouted when things were wrong!

Finally, we encourage you to become involved in the community; ask questions on the mailing list or news gateway and join in the fun on #lfs at You can find more details about all of these in the Introduction section of the book.

Enjoy using BLFS.

Mark Hymers
markh <at>
BLFS Editor (July 2001–March 2003)

I still remember how I found the BLFS project and started using the instructions that were completed at the time. I could not believe how wonderful it was to get an application up and running very quickly, with explanations as to why things were done a certain way. Unfortunately, for me, it wasn't long before I was opening applications that had nothing more than "To be done" on the page. I did what most would do, I waited for someone else to do it. It wasn't too long before I am looking through Bugzilla for something easy to do. As with any learning experience, the definition of what was easy kept changing.

We still encourage you to become involved as BLFS is never really finished. Contributing or just using, we hope you enjoy your BLFS experience.

Larry Lawrence
larry <at>
BLFS Editor (March 2003–June 2004)

The BLFS project is a natural progression of LFS. Together, these projects provide a unique resource for the Open Source Community. They take the mystery out of the process of building a complete, functional software system from the source code contributed by many talented individuals throughout the world. They truly allow users to implement the slogan "Your distro, your rules."

Our goal is to continue to provide the best resource available that shows you how to integrate many significant Open Source applications. Since these applications are constantly updated and new applications are developed, this book will never be complete. Additionally, there is always room for improvement in explaining the nuances of how to install the different packages. To make these improvements, we need your feedback. I encourage you to participate on the different mailing lists, news groups, and IRC channels to help meet these goals.

Bruce Dubbs
bdubbs <at>
BLFS Editor (June 2004–December 2006)

My introduction to the [B]LFS project was actually by accident. I was trying to build a GNOME environment using some how-tos and other information I found on the web. A couple of times I ran into some build issues and Googling pulled up some old BLFS mailing list messages. Out for curiosity, I visited the Linux From Scratch web site and shortly thereafter was hooked. I've not used any other Linux distribution for personal use since.

I can't promise anyone will feel the sense of satisfaction I felt after building my first few systems using [B]LFS instructions, but I sincerely hope that your BLFS experience is as rewarding for you as it has been for me.

The BLFS project has grown significantly the last couple of years. There are more package instructions and related dependencies than ever before. The project requires your input for continued success. If you discover that you enjoy building BLFS, please consider helping out in any way you can. BLFS requires hundreds of hours of maintenance to keep it even semi-current. If you feel confident enough in your editing skills, please consider joining the BLFS team. Simply contributing to the mailing list discussions with sound advice and/or providing patches to the book's XML will probably result in you receiving an invitation to join the team.

Randy McMurchy
randy <at>
BLFS Editor (December 2006–January 2011)


This is the development version of the BLFS book. This version of the book is intended to be used when building on top of a system built using the LFS development book as well as the current stable version of LFS. Though this version of the book is development in nature, every effort has been made to ensure accuracy and reliability of the instructions. Many people find that using the instructions in this book after building the current stable or development version of LFS provides a stable and very modern Linux system.


Randy McMurchy
August 24th, 2008

Last updated on 2012-08-22 06:45:43 -0700

Who Would Want to Read this Book

This book is mainly aimed at those who have built a system based on the LFS book. It will also be useful for those who are using other distributions, but for one reason or another want to manually build software and are in need of some assistance. Note that the material contained in this book, in particular the dependency listings, is based upon the assumption that you are using a base LFS system with every package listed in the LFS book already installed and configured. BLFS can be used to create a range of diverse systems and so the target audience is probably nearly as wide as that of the LFS book. If you found LFS useful, you should also like this!

Last updated on 2012-08-22 06:45:43 -0700


This book is divided into the following parts.

Part I - Introduction

This part contains information which is essential to the rest of the book.

Part II - Post LFS Configuration and Extra Software

Here we introduce basic configuration and security issues. We also discuss a range of editors, file systems, and shells which aren't covered in the main LFS book.

Part III - General Libraries and Utilities

In this section we cover libraries which are often needed by the rest of the book as well as system utilities. Information on Programming (including recompiling GCC to support its full range of languages) concludes this part.

Part IV - Basic Networking

Here we cover how to connect to a network when you aren't using the simple static IP setup given in the main LFS book. Networking libraries and command-line networking tools are also covered here.

Part V - Servers

Here we deal with setting up mail and other servers (such as SSH, Apache, etc.).

Part VI - X + Window Managers

This part explains how to set up a basic X Window System installation along with some generic X libraries and Window managers.

Part VII - KDE

For those who want to use the K Desktop Environment or some parts of it, this part covers it.


GNOME is the main alternative to KDE in the Desktop Environment arena.

Part IX - Xfce

Xfce is a lightweight alternative to GNOME and KDE.

Part X - X Software

Office programs and graphical web browsers are important to most people. They, along with some generic X software can be found in this part of the book.

Part XI - Multimedia

Here we cover setting multimedia libraries and drivers along with some audio, video and CD-writing programs.

Part XII - Printing, Scanning and Typesetting (PST)

The PST part of the book covers document handling with applications like Ghostscript, CUPS and DocBook to installing texlive.


The Appendices cover information which doesn't belong in the main book; they are mainly there as a reference.

Last updated on 2014-08-06 17:44:46 -0700

Part I. Introduction

Chapter 1. Welcome to BLFS

The Beyond Linux From Scratch book is designed to carry on from where the LFS book leaves off. But unlike the LFS book, it isn't designed to be followed straight through. Reading the Which sections of the book? part of this chapter should help guide you through the book.

Please read most of this part of the book carefully as it explains quite a few of the conventions used throughout the book.

Which Sections of the Book Do I Want?

Unlike the Linux From Scratch book, BLFS isn't designed to be followed in a linear manner. This is because LFS provides instructions on how to create a base system which is capable of turning into anything from a web server to a multimedia desktop system. BLFS attempts to guide you in the process of going from the base system to your intended destination. Choice is very much involved.

Everyone who reads the book will want to read certain sections. The Introduction part, which you are currently reading, contains generic information. Especially take note of the information in Chapter 2, Important Information, as this contains comments about how to unpack software, issues related to using different locales and various other aspects which apply throughout the book.

The part on Post LFS Configuration and Extra Software is where most people will want to turn next. This deals with not just configuration but also Security (Chapter 4, Security), File Systems (Chapter 5, File Systems and Disk Management), Editors (Chapter 6, Editors) and Shells (Chapter 7, Shells). Indeed, you may wish to reference certain parts of this chapter (especially the sections on Editors and File Systems) while building your LFS system.

Following these basic items, most people will want to at least browse through the General Libraries and Utilities part of the book. This part contains information on many items which are prerequisites for other sections of the book as well as some items (such as Chapter 13, Programming) which are useful in their own right. Note that you don't have to install all of these libraries and packages found in this part to start with as each BLFS installation procedure tells you which packages it depends upon so you can choose the program you want to install and see what it needs.

Likewise, most people will probably want to look at the Networking part. It deals with connecting to the Internet or your LAN (Chapter 14, Connecting to a Network) using a variety of methods such as DHCP and PPP, and with items such as Networking Libraries (Chapter 17, Networking Libraries) and various basic networking programs and utilities.

Once you have dealt with these basics, you may wish to configure more advanced network services. These are dealt with in the Servers part of the book. Those wanting to build servers should find a good starting point there. Note that this section also contains information on various database packages.

The next parts of the book principally deal with desktop systems. This portion of the book starts with a part talking about X and Window Managers. This part also deals with some generic X-based libraries (Chapter 25, X Libraries). After this, KDE and GNOME are given their own parts which are followed by one on X Software.

The book then moves on to deal with Multimedia packages. Note that many people may want to use the ALSA-1.0.28 instructions from this chapter quite near the start of their BLFS journey; they are placed here simply because it is the most logical place for them.

The final part of the main BLFS book deals with Printing, Scanning and Typesetting. This is useful for most people with desktop systems and even those who are creating mainly server systems will find it useful.

We hope you enjoy using BLFS and find it useful.

Last updated on 2012-12-19 11:57:20 -0800

Conventions Used in this Book

To make things easy to follow, there are a number of conventions used throughout the book. Following are some examples:

./configure --prefix=/usr

This form of text is designed to be typed exactly as seen unless otherwise noted in the surrounding text. It is also used to identify references to specific commands.

install-info: unknown option

This form of text (fixed width text) is showing screen output, probably a result from issuing a command. It is also used to show filenames such as /boot/grub/grub.conf


This form of text is used for several purposes in the book but mainly to emphasize important points or to give examples as to what to type.

This form of text is used for hypertext links external to the book such as HowTos, download locations, websites, etc.


This form of text is used for links internal to the book such as another section describing a different package.

cat > $LFS/etc/group << "EOF"

This type of section is used mainly when creating configuration files. The first command (in bold) tells the system to create the file $LFS/etc/group from whatever is typed on the following lines until the sequence EOF is encountered. Therefore, this whole section is generally typed as seen.


This form of text is used to encapsulate text that should be modified and is not to be typed as seen, or copy and pasted. Note that the square brackets are not part of the text, but should be substituted for as well.


This form of text is used to show a specific system user or group reference in the instructions.

Last updated on 2007-04-04 12:42:53 -0700

Book Version

This is BLFS-BOOK version 7.6 dated September 23rd, 2014. This is the development branch of the BLFS book, currently targeting the LFS development book. If this version (7.6) is older than a month, it's likely that your mirror hasn't been synchronized recently and a newer version is probably available for download or viewing. Check one of the mirror sites at for an updated version.

Last updated on 2008-05-10 18:20:50 -0700

Mirror Sites

The BLFS project has a number of mirrors set up world-wide to make it easier and more convenient for you to access the website. Please visit the website for the list of current mirrors.

Last updated on 2007-04-04 12:42:53 -0700

Getting the Source Packages

Within the BLFS instructions, each package has two references for finding the source files for the package—an HTTP link and an FTP link (some packages may only list one of these links). Every effort has been made to ensure that these links are accurate. However, the World Wide Web is in continuous flux. Packages are sometimes moved or updated and the exact URL specified is not always available.

To overcome this problem, the BLFS Team, with the assistance of Server Beach, has made an HTTP/FTP site available at This site has all the sources of the exact versions of the packages used in BLFS. If you can't find the BLFS package you need, get it there.

We would like to ask a favor, however. Although this is a public resource for you to use, please do not abuse it. We have already had one unthinking individual download over 3 GB of data, including multiple copies of the same files that are placed at different locations (via symlinks) to make finding the right package easier. This person clearly did not know what files he needed and downloaded everything. The best place to download files is the site or sites set up by the source code developer. Please try there first.

Last updated on 2012-12-19 11:57:20 -0800

Change Log

Current release: 7.6 – September 23rd, 2014

Changelog Entries:

  • September 23rd, 2014

    • [bdubbs] - Release of BLFS-7.6.

  • September 21st, 2014

    • [fernando] - Pidgin-2.10.9 and LXDM-0.5.0: fixes.

    • [pierre] - Update to thunderbird-31.1.1. Fixes #5461.

  • September 20th, 2014

    • [fernando] - Update to lxrandr-0.3.0. Fixes #5535.

    • [fernando] - Update to lxappearance-0.5.6. Fixes #5534.

  • September 19th, 2014

    • [bdubbs] - Update to wireshark-1.12.1. Fixes #5523.

    • [bdubbs] - Update to seamonkey-2.29. Fixes #5484.

    • [fernando] - Fixes and tweaks: Avahi-0.6.31, lxde-common-0.5.6, LXSession-, Brasero-3.10.0 and gnome-nettool-3.8.1.

    • [fernando] - Update to gnome-calculator-3.12.4. Fixes #5516.

    • [bdubbs] - Update haveged bootscript.

  • September 18th, 2014

    • [ken] - Update to firefox-32.0.1. Fixes #5503.

    • [bdubbs] - Update to xfce4-power-manager-1.4.0. Fixes #5521.

    • [bdubbs] - Add note about when a reinstall of amarok is required. Finish fixing #5238.

  • September 17th, 2014

    • [bdubbs] - Update to kde-4.14.1. Fixes #5519.

    • [bdubbs] - Update to colord-1.2.3. Fixes #5505.

    • [ken] - Update to dbus-1.8.8. Fixes #5524.

    • [fernando] - Fixes and tweaks: GPicView-0.2.4, LXDM-0.5.0, PCManFM-1.2.2, and Vim-7.4.

    • [fernando] - Update to lxinput-0.3.3. Fixes #5529.

    • [fernando] - Update to lxtask-0.1.5. Fixes #5528.

    • [fernando] - Update to lxappearance-obconf-0.2.2. Fixes #5527.

    • [fernando] - gnome-icon-theme-3.12.0: remove dependency XML::Simple-2.20, because it is required by icon-naming-utils-0.8.90, which is required by gnome-icon-theme.

    • [pierre] - Use the same upstream GCC patch in BLFS as in LFS. Tag all three GCC pages.

  • September 16th, 2014

    • [bdubbs] - Update to xscreensaver-5.30. Fixes #5504.

    • [bdubbs] - Update to p11-kit-0.20.6. Fixes #5492.

    • [bdubbs] - Update to libdvdread-5.0.0. Fixes #5490.

    • [bdubbs] - Update to libdvdnav-5.0.1. Fixes #5491.

  • September 15th, 2014

    • [bdubbs] - Change libdbusmenu-qt prefix to /usr. Partially fixes #5238.

    • [bdubbs] - Change grantlee prefix to /usr. Partially fixes #5238.

    • [bdubbs] - Change qjson prefix to /usr. Partially fixes #5238.

    • [bdubbs] - Change qca prefix to /usr. Partially fixes #5238.

    • [ken] - Clarify install-tl-unx runtime dependencies. Fixes #5502.

    • [bdubbs] - Update to lxrandr-0.2.0. Fixes #5517.

  • September 14th, 2014

    • [fernando] - Revert 'add optional instructions for sqlite-tcl to SQLite-3.8.6'. Fixes #5512.

    • [fernando] - ICU-53.1: not anymore broken with clang++.

  • September 14th, 2014

    • [fernando] - Update to whois_5.2.0. Fixes #5510.

    • [fernando] - Add optional instructions for sqlite-tcl to SQLite-3.8.6. Fixes #5512.

    • [fernando] - tcl-8.6.2: fixes for the build instructions. Fixes #5511.

    • [bdubbs] - Update to valgrind-3.10.0. Fixes #5506.

    • [bdubbs] - Update to lxmenu-data-0.1.4. Fixes #5489.

    • [bdubbs] - Update to lxde-icon-theme-0.5.1. Fixes #5509.

  • September 13th, 2014

    • [pierre] - Update to Xorg Nouveau Driver-1.0.11. Fixes #5469.

  • September 12th, 2014

    • [pierre] - Patch MesaLib-10.2.7 to account for the new LLVM API, which breaks the build and OpenGL. Fixes #5497.

    • [bdubbs] - Update to bluez-5.23. Fixes #5483.

    • [fernando] - Add libfm-extra- Fixes #5501.

  • September 11th, 2014

    • [ken] - asy from the binary install-tl-unx now requires and, at least on i686.

    • [bdubbs] - Update to xf86-video-intel-2.99.916. Fixes #5493.

  • September 10th, 2014

    • [ken] - fix xf86-video-ati-7.4.0 for xorg-server's glamor.

    • [rthomsen] - Update to phonon-4.8.0 and phonon-backend-vlc-0.8.0. Re-add phonon-backend-gstreamer to the book. Fixes #5480, #5481 and #5482.

  • September 9th, 2014

    • [igor] - Update to mesa-10.2.7. Fixes #5477.

  • September 8th, 2014

    • [fernando] - MesaLib-10.2.6: fix build with LLVM-3.5.0. Thanks ojab. Partially fixes #5475.

  • September 7th, 2014

    • [fernando] - Update to menu-cache-0.7.0. Fixes #5479.

    • [fernando] - Update p11-kit-0.20.5. Fixes #5478.

    • [fernando] - libpcap-1.6.2: fix build with bluez-5.2. Fixes #5468.

  • September 6th, 2014

    • [ken] - Update to firefox-32.0. Fixes #5460.

    • [fernando] - Update to mc-4.8.13. Fixes #5476.

    • [fernando] - Update to LLVM-3.5.0. Fixes #5475.

    • [igor] - Update to mercurial-3.1.1. Fixes #5464.

  • September 5th, 2014

    • [pierre] - Update to icedtea-2.5.2. Fixes #5450.

    • [fernando] - Update to pango-1.36.7. Fixes #5472.

    • [fernando] - Update to sysstat-11.1.1. Fixes #5471.

    • [fernando] - Update to libwnck 3.4.9. Fixes #5467.

    • [fernando] - Update to libpcap-1.6.2. Fixes #5468.

    • [fernando] - Update to LVM2.2.02.111. Fixes #5456.

  • September 4th, 2014

    • [fernando] - Update to gimp-help-2.8.2. Fixes #5466.

  • September 3rd, 2014

    • [igor] - Update to php-5.6.0. Fixes #5444.

    • [ken] - add run-parts script (from Slackware) to the libpaper page - thanks to akhiezer for his help.

    • [fernando] - LXDM-0.5.0 fixes: typo and some rewriting. Fix again localization, Thanks Armin K.

  • September 2nd, 2014

    • [fernando] - LXDM-0.5.0 fixes: typo in configure, localization and starting.

    • [fernando] - Update to appstream-glib-0.3.0. Fixes #5465.

    • [fernando] - Update to iso-codes-3.56. Fixes #5463.

    • [fernando] - Update to lxde-common-0.5.6. Fixes #5462.

    • [fernando] - Update to libunistring-0.9.4. Fixes #5458.

    • [fernando] - Update to exempi-2.2.2. Fixes #5457.

  • September 1st, 2014

    • [fernando] - Update to appdata-tools-0.1.8. Thanks Christopher G. for reporting. Fixes #5452.

    • [fernando] - Add appstream-glib-0.2.5, copied, modified, from BLFS systemd branch. Thanks Christopher G. Fixes #5451.

    • [pierre] - Add Icedtea-Sound-1.0.1. Fixes #5217.

    • [pierre] - Add basic configuration instructions to PulseAudio. Fixes #5455.

    • [fernando] - Add LXDM-0.5.0, copied, modified, from BLFS systemd branch. Fixes #5459.

  • August 31st, 2014

    • [ken] - Clean up libpaper, in particular remove the /uetc/papersize typo. Thanks to willimm, fixes #5454.

    • [fernando] - Completely modify and fix instructions for alsa-tools-1.0.28. Fixes #5453.

    • [fernando] - Update to libreoffice- Fixes #5445.

  • August 30th, 2014

    • [ken] - Update to nss-3.17. Fixes #5449.

    • [rthomsen] - Correct documentation installation path for libdvdread.

    • [fernando] - Update to elfutils-0.160. Fixes #5448.

    • [fernando] - Update to zsh-5.0.6. Fixes #5447.

    • [fernando] - Update to gstreamer-1.4.1 and plugins. Fixes #5446.

  • August 29th, 2014

    • [ken] - Added biblatex-biber-1.8 and its multitudinous perl-module dependencies. Fixes #5228.

    • [fernando] - LibreOffice-4.3.0: add three new optional dependencies. Thanks Wayne B.

    • [fernando] - Git-2.1.0: fix AsciiDoc/xmlto documentaion install. Thanks Alex L.

    • [fernando] - webkitgtk-2.4.5: tidy up xml.

    • [igor] - Update to scons-2.3.3. Fixes #5428.

  • August 28th, 2014

    • [ken] - Added instructions to build xindy in texlive. Fixes #4719.

    • [ken] - Added clisp-2.49. Fixes #5441.

    • [ken] - Added libsigsegv-2.10. Fixes #5442.

    • [fernando] - LibreOffice-4.3.0 - fix broken symbolic links. Thanks Wayne B.

    • [fernando] - Fix Tk-8.6.2 md5sum that changed overnight. Thanks Wayne B.

    • [fernando] - Remove WebKitGTK+1.10.x, consequently, fix Midori-0.5.8 and Gimp-2.8.14 (remove broken ftp link from the latter). Fixes #5434.

    • [fernando] - Update to webkitgtk-2.4.5. Fixes #5426.

    • [ken] - Added libpaper-1.1.24+nmu3. Fixes #5440.

    • [igor] - Update to gimp-2.8.14. Fixes #5432.

  • August 27th, 2014

    • [fernando] - Update to menu-cache-0.6.1. Fixes #5438.

    • [fernando] - Update to tk8.6.2. Fixes #5437.

    • [fernando] - Update to tcl8.6.2. Fixes #5436.

    • [fernando] - Update to LVM2.2.02.110. Fixes #5435

    • [fernando] - Cyrus-sasl-2.1.26: Various package fixes, including autotools fixes, plugin fixes, security fixes, parallel build fixes. Thanks to Armin K and Christopher G, from systemd branch. Fixes #5380.

    • [bdubbs] - Update to acpid-2.0.23. Fixes #5419.

    • [bdubbs] - Remove no longer needed xulrunner. Fixes #5433.

    • [bdubbs] - Fix typo in bind random device. Fixes #5378.

    • [bdubbs] - Fix potential error in dhclient shutdown. Fixes #5416.

    • [ken] - Update to libwww-perl-6.08 and URI-1.64.

    • [igor] - Update to nmap-6.47. Fixes #5417.

  • August 26th, 2014

    • [fernando] - Minor fixes to libtasn1-4.1 and Gvfs-1.20.3 (reordered externa/internal optional dependencies, for the latter).

    • [fernando] - Update to grilo-plugins-0.2.13. Fixes #5431.

    • [fernando] - Update to grilo-0.2.11. Fixes #5430.

    • [fernando] - Update to libfm- Fixes #5429.

    • [fernando] - Update to gnutls-3.3.7. Fixes #5427

    • [fernando] - Brasero-3.10.0: fix cdrtools link. Thanks to Christopher G, from systemd branch. Fixes #5425.

    • [fernando] - Cdrdao-1.2.3: remove instructions for gcdmaster build. Thanks to Christopher G, from systemd branch. Fixes #5424.

  • August 25th, 2014

    • [fernando] - Update to libtasn1-4.1. Fixes #5423.

    • [fernando] - Update to pcmanfm-1.2.2. Fixes #5422.

    • [fernando] - Update to libfm-1.2.2. Fixes #5421.

    • [fernando] - Update to gvfs-1.20.3. Fixes #5420.

    • [fernando] - OpenJDK- fix desktop file instructions, hopefully. Sorry for the mess.

  • August 24th, 2014

    • [fernando] - LibreOffice-4.3.0: reorder some dependencies; add comment about the two SBUs and buildsizes, thanks to Christopher G, from systemd branch, for noticing.

    • [fernando] - OpenJDK- fix man pages and add a desktop file.

    • [fernando] - Update to icedtea-web-1.5.1, reorder some dependencies and add a desktop file. Replace Xulrunner-31.0 dependency by NPAPI-SDK-0.27.2, thanks to Armin K, from systemd branch for remembering (I had asked about this in one list some time ago, but forgot to check). Fixes #5389.

    • [fernando] - Update to libpng-1.6.13. Fixes #5418.

    • [ken] - Make TeX Live use system gc for asymptote.

  • August 23rd, 2014

    • [rthomsen] - Update to KDE-4.14.0. Fixes #5403.

    • [igor] - Update to libgcrypt-1.6.2. Fixes #5408.

  • August 22nd, 2014

    • [fernando] - Update to libwebp-0.4.18. Fixes #5415.

    • [fernando] - Update to php-5.5.16. Fixes #5414.

    • [fernando] - Update to xine-ui-0.99.9. Fixes #5413.

    • [fernando] - Update to lxpanel-0.7.0. Fixes #5412.

    • [fernando] - Update to doxygen-1.8.8. Fixes #5411.

    • [fernando] - Update to poppler-0.26.4. Fixes #5410.

    • [fernando] - Update to libreoffice-4.3.0. Patch sent by Christopher G, from systemd branch, thank you very much. Some fixes from Armin K, from systemd branch, thanks. Fixes #5311.

    • [ken] - Update to mdadm-3.3.2. Fixes #5409.

    • [igor] - Use ssh-copy-id shell wrapper for copying OpenSSH public key. Fixes #5368.

  • August 21st, 2014

    • [fernando] - Update to cups-filters-1.0.58. Fixes #5407.

    • [fernando] - Update to gtksourceview-3.12.3. Fixes #5406.

  • August 20th, 2014

    • [fernando] - Update to nss-3.16.4. Fixes #5404.

    • [fernando] - Update to MesaLib-10.2.6. Fixes #5401.

    • [fernando] - Update to nspr-4.10.7. Fixes #5400.

    • [fernando] - Update to x264-20140818-2245. Fixes #5376.

    • [fernando] - Update to ImageMagick-6.8.9-7. Fixes #5375.

    • [ken] - Update to xf86-video-intel-2.99.914 from the systemd branch.

  • August 19th, 2014

    • [fernando] - Grilo-Plugins-0.2.12: reorder interna/external optional dependencies.

    • [fernando] - Update to totem-3.12.2. Fixes #5398.

    • [fernando] - Update to colord-1.2.2. Fixes #5397.

    • [fernando] - Update to librsvg-2.40.3. Fixes #5396.

    • [ken] - archive glamor-egl in favour of xorg-server's glamor. Fixes #5347.

    • [igor] - Update to dhcp-4.3.1. Fixes #5359.

  • August 18th, 2014

    • [fernando] - Update to libassuan-2.1.2. Fixes #5395.

    • [fernando] - Update to ffmpeg-2.3.3. Some fixes for docummentation build. Thanks Bruce D. and Christopher G. for reporting. One fix was reported by Christopher G. Fixes #5394.

    • [ken] - add libepoxy-1.2 from the systemd branch.

  • August 17th, 2014

    • [fernando] - Fix URL: avahi, libasyncns (at pulseaudio page), libatasmart, libcanberra, libdaemon and mod_dnssd.

    • [fernando] - FontForge-2.0.20140101: reorder external/internal optional requirements.

    • [fernando] - Merge ImageMagick-6.8.9-1 from systemd.

    • [fernando] - MIT Kerberos V5-1.12.2: fix 'import the public key'. Thanks to Armin K. for reporting.

    • [fernando] - Update to pango-1.36.6. Fixes #5393.

    • [rthomsen] - Update to akonadi-1.13.0. Fixes #5351 and #5362.

    • [igor] - Update to subversion-1.8.10. Fixes #5356.

  • August 16th, 2014

    • [fernando] - Samba-4.1.11: promote libxslt-1.1.28 to Recommended. Fixes #5392.

    • [fernando] - MIT Kerberos V5-1.12.2: update gpg2, fix configure, install instructions and other parts. Fixes #5390.

    • [fernando] - Update to git-2.1.0. Modified docs and man instructions. Fixes #5388.

    • [fernando] - Update to SQLite-3.8.6. Fixes #5387.

    • [fernando] - Parted-3.2 fails to build with --disable-device-mapper. Reported and fixed by Ken M. Fixes #5386.

    • [igor] - Update to mariadb-10.0.13. Fixes #5355.

  • August 15th, 2014

    • [fernando] - Update to cups-filters-1.0.57. Fixes #5385.

    • [fernando] - Git-2.0.4 test suite needs compatibility symlinks recommended in GnuPG-2.0.26. Fixes #5377.

  • August 14th, 2014

    • [fernando] - Update to harfbuzz-0.9.35. Fixes #5374.

    • [fernando] - Update to cups-filters-1.0.56. Fixes #5373.

    • [fernando] - Update to clutter-1.18.4. Fixes #5372.

    • [fernando] - Update to poppler-data-0.4.7. Fixes #5371.

    • [fernando] - Update to p11-kit-0.20.4. Fixes #5370.

    • [fernando] - Update to krb5-1.12.2. Fixes #5369.

    • [igor] - Update to ffmpeg-2.3.2. Fixes #5354.

  • August 13th, 2014

    • [fernando] - Update to gnupg-2.0.26. Fixes #5367.

    • [igor] - Update to libidn-1.29. Fixes #5352.

  • August 12th, 2014

    • [fernando] - gnupg-2.0.25: fix import filter and add kbnode_t. Fixes #5364.

    • [fernando] - Change URL for psutils-p17. Fixes #5363.

    • [fernando] - Update to exim-4.84. Fixes #5361.

    • [fernando] - Update to serf-1.3.7. Fixes #5360.

    • [fernando] - Update to yasm-1.3.0. Fixes #5358.

    • [fernando] - Update to at_3.1.15. Fixes #5357.

    • [fernando] - bluez-5.22: /etc/sysconfig/bluetooth is installed with blfs-bootscripts-20140810; my earlier version of the bootscripts didn't have it. Fixes #5341.

    • [fernando] - libassuan-2.1.1: fix docs build. Fixes #5346.

    • [igor] - Update to boost-1.56.0. Fixes #5344.

  • August 11th, 2014

    • [bdubbs] - Clean up CA Certificate install instructions. Fixes #5350.

    • [bdubbs] - Update to lvm2.2.02.109. Fixes #5333.

    • [igor] - Update to unrar-5.1.7. Fixes #5342.

  • August 10th, 2014

    • [fernando] - Update to bluez-5.22. Fixes #5341.

    • [fernando] - Update to libtirpc-0.2.5. Fixes #5348.

    • [fernando] - libassuan-2.1.1: Problem building documentation. Fixes #5346.

    • [fernando] - Wrong syntax in iptables masquerading example. Fixes #5345.

    • [fernando] - Update to stunnel-5.03. Fixes #5343.

  • August 9th, 2014

    • [fernando] - Update to evince-3.12.2. Fixes #5349.

    • [igor] - Update to openssl-1.0.1i. Fixes #5340.

  • August 8th, 2014

    • [ken] - Apply upstream fix to libsigc++-2.3.2.

  • August 7th, 2014

    • [igor] - Update to qemu-2.1.0. Fixes #5318.

  • August 6th, 2014

    • [fernando] - Create a standard for packages with problems introduced by gcc-4.9.0. Modified: mdadm-3.3.1, gst-plugins-base-0.10.36, LAME-3.99.5 and LibreOffice-4.2.5. Thanks Christopher G., from systemd branch, for pointing that out, and Akhiezer and Armin K. for discussions.

    • [fernando] - Exim-4.83: fix exim daemon version in 'Short Descriptions'. Thanks Denis M.

    • [fernando] - GCC-4.9.1: as in LFS, use sed to fix a problem identified upstream.

    • [fernando] - FLTK-1.3.2: fix output of fltk-config --version. Thanks Jeremy H.

    • [igor] - Update to libxcb-1.11. Fixes #5323.

    • [igor] - Update to xcb-proto-1.11. Fixes #5322.

  • August 5th, 2014

    • [fernando] - Update to libdvdcss-1.3.0. Fixes #5335.

    • [fernando] - Update to cmake-3.0.1. Fixes #5334.

    • [fernando] - Add the description of the alsaucm bin. Thanks Denis M.

    • [ken] - Add option to build audacious-plugins without mpg123 (new behaviour in 3.5.1, configure used to test for it).

  • August 4th, 2014

    • [fernando] - Update to menu-cache-0.6.0. Fixes #5332.

    • [fernando] - Revert uneeded revision 13824 (FreeType-2.5.3 ...). Thanks Armin K., from systemd branch.

    • [fernando] - Fix FreeType-2.5.3 for first installation without Harfbuzz-0.9.34 that I forgot to make explicit (only talked about), when updating. Thanks Christopher G., from systemd branch.

    • [igor] - Update to ffmpeg-2.3.1. Fixes #5312.

  • August 3rd, 2014

    • [fernando] - Update to MesaLib-10.2.5. Fixes #5330.

    • [fernando] - Update to xrandr-1.4.3. Fixes #5329.

    • [fernando] - Update to whois_5.1.5. Fixes #5328.

    • [fernando] - Update to harfbuzz-0.9.34. Fixes #5327.

  • August 2nd, 2014

    • [fernando] - Update to libpeas-1.10.1. Fixes #5324.

    • [fernando] - Update to samba-4.1.11. Fixes #5321.

    • [fernando] - Update to mercurial-3.1. Fixes #5320.

    • [fernando] - Update to libsigc++-2.3.2. Fixes #5319.

  • August 1st, 2014

    • [fernando] - Update to wireshark-1.12.0. Fixes #5317.

    • [igor] - Update to libdrm-2.4.56. Fixes #5310.

  • July 31st, 2014

    • [fernando] - Update to cups-1.7.5 and separate internal from external optional dependencies. Fixes #5316.

    • [fernando] - Update to dhcpcd-6.4.3. Fixes #5315.

    • [fernando] - Update to gpgme-1.5.1. Fixes #5314.

    • [fernando] - Update to libndp-1.4. Fixes #5309.

    • [fernando] - Update to gdb-7.8. Fixes #5308.

    • [fernando] - parted-3.2: remove test Fixes hopefully #5307.

    • [igor] - Update to git-2.0.4. Fixes #5295 and #5313.

  • July 29th, 2014

    • [fernando] - Update to parted-3.2. Fixes #5307.

    • [fernando] - Update to samba-4.1.10; separate internal from external optional dependencies. Fixes #5306.

    • [fernando] - Update to check-0.9.14. Fixes #5304.

    • [igor] - Update to harfbuzz-0.9.33. Fixes #5292.

  • July 28th, 2014

    • [ken] - Patch nfs-utils-1.3.0 to avoid segfault with gcc-4.9.1 reported by The Lightning Stalker.

    • [fernando] - Update to cups-filters-1.0.55. Fixes #5305.

    • [fernando] - Update to xterm-310. Fixes #5303.

    • [fernando] - libpcap-1.6.1 doesn't build with bluez-5.21. Thanks Wayne B. Fixes #5302.

    • [igor] - Update to libdrm-2.4.55. Fixes #5300.

  • July 27th, 2014

    • [fernando] - Thunderbird 31.0 and Python-2.7.8: Python2 needs to be built after openssl for this version of thunderbird.

    • [fernando] - Update to postgresql-9.3.5. Fixes #5299.

    • [fernando] - Update to php-5.5.15. Fixes #5298.

    • [fernando] - Update to LVM2.2.02.108. Fixes #5297.

    • [fernando] - Update to exim-4.83. Fixes #5293.

    • [fernando] - Fix vala-0.24.0 (for at least Gucharmap-3.12.1). #5301.

    • [bdubbs] - Separate libvdpau-va-gl to its own section. Fixes #5290.

    • [igor] - Update to libXext-1.3.3. Fixes #5294.

  • July 25th, 2014

    • [fernando] - Updates to gstreamer-1.4.0 and plugins, including gst-libav. Fixes #5283.

  • July 24th, 2014

    • [ken] - Update to firefox/xulrunner 31.0. Fixes #5287 - Python2 needs to be built after openssl for this version of firefox.

    • [fernando] - Update to poppler-0.26.3. Fixes #5284.

    • [fernando] - Update to audacious-3.5.1. Fixes #5289.

    • [fernando] - Update to gnutls-3.3.6. Fixes #5296.

    • [fernando] - Update to thunderbird-31.0. Fixes #5288.

    • [igor] - Update to ffmpeg-2.3. Fixes #5265.

    • [Chris] - Removed libxml2 dependency from MesaLib - it's no longer needed.

  • July 23rd, 2014

    • [pierre] - Icedtea-2.5.1/OpenJDK-1.7.0_65. Fixes #5270.

    • [fernando] - SBC-1.2: add switch to configure. Fixes #5291.

    • [fernando] - cURL-7.37.1: typo. Thanks Denis MUGNIER.

    • [fernando] - Update to httpd-2.4.10. Fixes #5286.

    • [fernando] - Update to libpcap-1.6.1. Fixes #5285.

    • [fernando] - Update to libXfont-1.5.0. Fixes #5282.

  • July 22nd, 2014

    • [bdubbs] - Split packages.ent into packages.ent and gnome.ent.

    • [bdubbs] - Split general.ent into general.ent and packages.ent.

    • [bdubbs] - Update to kde-4.13.3. Fixes #5268.

    • [pierre] - Update to GCC-4.9.1. Fixes #5272.

  • July 19th, 2014

    • [fernando] - Xulrunner-30.0: fix build with ac_add_options --enable-shared-js.

    • [fernando] - Update to MesaLib-10.2.4. Fixes #5281.

    • [fernando] - Update to libXi-1.7.4. Fixes #5280.

    • [fernando] - Cheese-3.12.2: include comment about test suite, according to systemd branch.

  • July 18th, 2014

    • [fernando] - Update to harfbuzz-0.9.32. Fixes #5279.

    • [fernando] - Update to nano-2.3.6. Fixes #5278.

    • [fernando] - Update to xorg-server-1.16.0. Fixes #5276.

    • [fernando] - Update to libnl-3.2.25. Fixes #5275.

    • [fernando] - git-2.0.2 and curl-7.37.1: separate internal and external dependencies.

  • July 17th, 2014

    • [fernando] - Update to curl-7.37.1. Fixes #5274.

    • [fernando] - Update to git-2.0.2. Fixes #5273.

    • [fernando] - Update to harfbuzz-0.9.31. Fixes #5271.

  • July 16th, 2014

    • [fernando] - Update to gparted-0.19.1. Fixes #5269.

    • [fernando] - Update to xfsprogs-3.2.1. Fixes #5263.

  • July 15th, 2014

    • [fernando] - Update to cups-1.7.4. Fixes #5266.

    • [fernando] - Update to dhcpcd-6.4.2. Fixes #5264.

  • July 14th, 2014

    • [fernando] - Update to xterm-309. Fixes #5261.

  • July 13th, 2014

    • [igor] - Update to scons-2.3.2. Fixes #5244.

    • [fernando] - Update to nano-2.3.5. Fixes #5260.

  • July 12th, 2014

    • [fernando] - Update to cifs-utils-6.4. Fixes #5259.

  • July 11th, 2014

    • [bdubbs] - Update to polkit-qt-1-0.112.0. Fixes #5258.

    • [bdubbs] - Update to libXi-1.7.3. Fixes #5255.

    • [bdubbs] - Update to libvdpau-0.8. Fixes #5232.

    • [bdubbs] - Add libvdpau-va-gl supplementary driver for libvdpau.

  • July 10th, 2014

    • [fernando] - Update to x264-20140709-2245. Fixes #5256.

    • [fernando] - Update to harfbuzz-0.9.30. Fixes #5254.

    • [fernando] - Update to xine-lib-1.2.6. Fixes #5246.

  • July 9th, 2014

    • [fernando] - Update to nss-3.16.3. Fixes #5253.

    • [fernando] - Update to Berkeley db-6.1.19. Fixes #5252.

    • [fernando] - Update to nano-2.3.4. Fixes #5251.

  • July 8th, 2014

    • [fernando] - Logrotate-3.8.7: typo, tweaks, more explanations.

    • [fernando] - Update to webkitgtk-2.4.4. Fixes #5250.

    • [fernando] - Update to MesaLib-10.2.3. Fixes #5249.

  • July 7th, 2014

    • [fernando] - Update to fcron-3.2.0. Fixes #5248.

    • [fernando] - Update to vlc-2.1.5. Reorder and separate internal and external dependencies. Fixes #5247.

    • [fernando] - Update to cogl-1.18.2. Fixes #5241.

    • [fernando] - Update to pixman-0.32.6. Fixes #5245.

    • [fernando] - Update to p11-kit-0.20.3. Fixes #5243.

    • [fernando] - Change title of libnewt-0.52.17 to newt-0.52.17. Thanks Bruce D.

  • July 6th, 2014

    • [bdubbs] - Update to bluez-5.21. Fixes #5242.

    • [pierre] - Add a missing switch for GCC-Java.

  • July 5th, 2014

    • [fernando] - Add newt-0.52.17 (libnewt). Fixes #5240.

    • [fernando] - Add libndp-1.3. Fixes #5239.

    • [fernando] - Update network-manager-applet- Fixes #5237.

    • [fernando] - Update NetworkManager- Fixes #5236.

    • [igor] - Update to lzo-2.08. Fixes #5222.

  • July 4th, 2014

    • [bdubbs] - Add logrotate-3.8.7. Fixes #5229.

  • July 3rd, 2014

    • [pierre] - Split GCC pages. Fixes #5000.

    • [fernando] - Update to iso-codes-3.55. Fixes #5235.

    • [fernando] - Update to dbus-1.8.6. Fixes #5234.

    • [fernando] - Update to whois_5.1.4. Fixes #5233.

    • [fernando] - Update to pcmanfm-1.2.1. Fixes #5231.

    • [fernando] - Update to libfm-1.2.1. Fixes #5230.

  • July 2nd, 2014

    • [fernando] - Update to mercurial-3.0.2. Fixes #5227.

    • [ken] - Update to texlive-20140525 and current (20140628) version of install-tl-unx. Fixes #5170.

    • [igor] - Update to git-2.0.1. Fixes #5209.

  • July 1st, 2014

    • [fernando] - Update to transmission-2.84. Fixes #5226.

    • [fernando] - Update to gnupg-2.0.25. Fixes #5225.

    • [fernando] - Update to Python-2.7.8. Fixes #5224.

    • [fernando] - Update to libburn-1.3.8. Fixes #5220.

    • [fernando] - Update to libisoburn-1.3.8. Fixes #5219.

    • [fernando] - Update to libisofs-1.3.8. Fixes #5218.

    • [fernando] - Update to Qt-5.3.1. Fixes #5206.

  • June 30th, 2014

    • [igor] - Update to xf86-video-ati-7.4.0. Fixes #5208.

  • June 29th, 2014

    • [fernando] - MPlayer-1.1.1:

      • Fix building with new versions of giflib.

      • Reorder dependencies to separate internal and external ones.

    • [fernando] - polkit-gnome-0.105: fix directory of polkit-gnome-authentication-agent-1.

    • [igor] - Update to xorg-server-1.15.2. Fixes #5212.

  • June 28th, 2014

    • [pierre] - Update to PHP-5.5.14. Fixes #5216.

    • [igor] - Update to lzo-2.07. Fixes #5210.

  • June 27th, 2014

    • [fernando] - XviD-1.3.3: fixes.

    • [pierre] - Update to Icedtea-2.5.0/OpenJDK- Fixes #5173.

    • [fernando] - Update to gnutls-3.3.5. Fixes #5215.

    • [fernando] - Update to libtasn1-4.0. Fixes #5214.

    • [pierre] - Update to LVM2-2.02.107. Fixes #5203.

  • June 26th, 2014

    • [igor] - Update to MesaLib-10.2.2. Fixes #5205.

  • June 25th, 2014

    • [fernando] - Update to gnupg-2.0.24. Fixes #5207.

    • [fernando] - Update to pango-1.36.5. Fixes #5204.

    • [fernando] - Update to ffmpeg-2.2.4. Fixes #5198.

  • June 24th, 2014

    • [fernando] - Update to pango-1.36.4. Fixes #5202.

    • [fernando] - Update to gtk+-2.24.24. Fixes #5201.

    • [fernando] - Update to vte-0.36.3. Fixes #5200.

    • [fernando] - Update to gnome-terminal-3.12.3. Fixes #5199.

    • [igor] - Update to rsync-3.1.1. Fixes #5195.

    • [fernando] - Update to samba-4.1.9. Fixes #5197.

    • [fernando] - Update to inkscape-0.48.5. Fixes #5196.

  • June 23rd, 2014

    • [fernando] - Update to libreoffice- Fixes #5194.

    • [bdubbs] - Update to phonon-backend-vlc-0.7.2. Fixes #5192.

    • [bdubbs] - Update to phonon-backend-gstreamer-4.7.2. Fixes #5191.

    • [bdubbs] - Update to phonon-4.7.2. Fixes #5190.

    • [bdubbs] - Update to bluez-5.20. Fixes #5193.

    • [krejzi] - Added FontForge-2.0.20140101.

  • June 21st, 2014

    • [pierre] - Slightly reword the paragraph about adding a user and a group in D-Bus (as proposed by B. Dubbs).

  • June 20th, 2014

    • [fernando] - Update to poppler-0.26.2. Fixes #5189.

    • [fernando] - Update to xterm-308. Fixes #5188.

  • June 18th, 2014

    • [fernando] - Update to sysstat-11.0.0. Fixes #5187.

    • [fernando] - Update to xterm-307. Fixes #5186.

    • [fernando] - Update to alsa 1.0.28. Fixes #5184.

    • [fernando] - Update to mpg123-1.20.1. Fixes #5183.

    • [bdubbs] - Update to xf86-input-wacom. Fixes #5185.

  • June 16th, 2014

    • [fernando] - Tweaks in valgrind-3.9.0 and php-5.5.13.

    • [fernando] - llvm-3.4.2. Fixes #5182.

    • [fernando] - mariadb-10.0.12. Fixes #5181.

  • June 16th, 2014

    • [fernando] - gnome-calculator-3.12.3. Fixes #5179.

    • [bdubbs] - Update to libva-intel-driver-1.3.2. Fixes #5180.

  • June 15th, 2014

    • [fernando] - seamonkey-2.26.1. Fixes #5178.

    • [fernando] - libpng-1.6.12. Fixes #5177.

    • [fernando] - gc-7.4.2. Fixes #5176.

    • [fernando] - traceroute-2.0.20. Fixes #5175.

    • [fernando] - dhcpcd-6.4.0. Fixes #5174.

    • [bdubbs] - Update to libusb-1.0.19. Fixes #5172.

    • [bdubbs] - Update to xcb-util-renderutil-0.3.9. Fixes #5171.

    • [bdubbs] - Update to sg3_utils-1.39. Fixes #5168.

    • [fernando] - Fix Net-DNS-0.76 md5sum, thanks Wayne B.

      Promote '--enable-tee' to parameter in Cairo-1.12.16 and 'ac_add_options --enable-system-cairo' in Xulrunner-30.0, Firefox-30.0 and Thunderbird-24.6.0, thanks Armin K.

      Replace sentence '... do not touch ...' by 'The BLFS editors recommend not changing anything below this line' (Xulrunner, Firefox and Thunderbird), thanks Bruce D.

  • June 14th, 2014

    • [bdubbs] - Add tigervnc-1.3.1. Fixes #3903.

  • June 13th, 2014

    • [fernando] - bind-9.10.0-P2/bind-utilities-9.10.0-P2. Fixes #5166.

    • [fernando] - Net::DNS-0.76. Fixes #5169.

    • [fernando] - wireshark-1.10.8. Fixes #5167.

    • [fernando] - unrar-5.1.6. Fixes #5165.

    • [fernando] - Modify build instructions for firefox-30.0 and thunderbird-24.6.0. Uncoment 'ac_add_options --enable-system-cairo' in xulrunner/firefox-30.0 and thunderbird-24.6.0. Thanks Armin K.

    • [bdubbs] - Add fltk-1.3.2 to support tigervnc.

  • June 12th, 2014

    • [fernando] - thunderbird-24.6.0. Fixes #5160.

    • [fernando] - xulrunner/firefox-30.0. Fixes #5155.

    • [bdubbs] - Update to kde-4.13.2. Fixes #5161.

  • June 11th, 2014

    • [fernando] - stunnel-5.02. Fixes #5164.

    • [fernando] - dbus-1.8.4. Fixes #5163.

    • [fernando] - gparted-0.19.0. Fixes #5162.

    • [bdubbs] - Update to mdadm-3.3.1. Fixes #5143.

    • [bdubbs] - Update to libevdev-1.2.2. Fixes #5141.

    • [fernando] - cups-filters-1.0.54. Fixes #5145.

  • June 10th, 2014

    • [fernando] - cmake-3.0.0. Fixes #5159.

    • [fernando] - gnumeric-1.12.17. Fixes #5157.

    • [fernando] - goffice-0.10.17. Fixes #5156.

    • [fernando] - Remove all explicit eudev version references from Udev Extras. Fixes #5154.

    • [fernando] - xscreensaver-5.29. Fixes #5153.

    • [bdubbs] - Update to autofs-5.1.0. Fixes #5138.

    • [igor] - Update to serf-1.3.6. Fixes #5158.

  • June 9th, 2014

    • [igor] - Update to libICE-1.0.9. Fixes #5147.

    • [pierre] - Improve detection and handling of udevd in mkinitramfs.

    • [pierre] - Eudev-1.7 (Udev-extras). Fixes #5128.

  • June 8th, 2014

    • [fernando] - MariaDB-10.0.11: move switch -DWITH_EMBEDDED_SERVER=ON to parameter.

    • [fernando] - nspr-4.10.6. Fixes #5151.

    • [fernando] - qpdf-5.1.2. Fixes #5150.

    • [fernando] - MesaLib-10.2.1. Fixes #5148.

    • [fernando] - libpng-1.6.11. Fixes #5142.

    • [bdubbs] - Update to kde-4.13.1. Fixes #5067.

    • [bdubbs] - Archive nepomuk-widgets, nepomuk-core, shared-desktop-ontologies. virtuoso, and soprano. Fixes #4780.

    • [bdubbs] - Add libkdcraw-4.13.1.

    • [bdubbs] - Add libraw-0.16.0.

    • [igor] - Update to libXft-2.3.2. Fixes #5144.

  • June 6th, 2014

    • [fernando] - samba-4.1.8. Fixes #5132.

    • [igor] - Update to wpa_supplicant-2.2. Fixes #5137.

  • June 5th, 2014

    • [fernando] - Fix gst-plugins-good-1.2.4: First Optional dependencies are actually Recommended.

    • [fernando] - Add note for order of installation in gst plugins.

    • [fernando] - Fix dependencies and build of xdg-utils-1.1.0-rc2.

    • [fernando] - Fix /etc/xdg/autostart in polkit-gnome-0.105.

    • [fernando] - openssl-1.0.1h. Fixes #5140.

    • [fernando] - xscreensaver-5.28. Fixes #5139.

    • [fernando] - Python-2.7.7. Fixes #5135.

    • [fernando] - xterm-306. Fixes #5134.

    • [fernando] - gnupg-2.0.23. Fixes #5133.

    • [igor] - Update to sqlite-3.8.5. Fixes #5136.

    • [pierre] - SWIG-3.0.2. Fixes #5111.

  • June 3rd, 2014

    • [fernando] - iso-codes-3.54. Fixes #5129.

    • [fernando] - mercurial-3.0.1. Fixes #5127.

    • [fernando] - clutter-gst-2.0.12. Fixes #5126.

    • [pierre] - Update to git-2.0.0. Fixes #5117.

    • [igor] - Update to ffmpeg-2.2.3. Fixes #5131.

  • June 1st, 2014

    • [fernando] - Change http URLs for: babl-0.1.10, gegl-0.2.0 and Gimp-2.8.10. Thanks to Armin K.

    • [fernando] - check-0.9.13. Fixes #5124.

    • [fernando] - xcursorgen-1.0.6. Fixes #5123.

    • [pierre] - Patch CUPS again to avoid dependency on Avahi. Fixes #5125.

  • May 31st, 2014

    • [fernando] - gnutls-3.3.4. Fixes #5122.

    • [fernando] - json-glib-1.0.2. Fixes #5121.

    • [fernando] - php-5.5.13. Fixes #5119.

    • [pierre] - Patch icedtea for new giflib API.

  • May 30th, 2014

    • [fernando] - harfbuzz-0.9.29. Fixes #5120.

    • [fernando] - inputproto-2.3.1. Fixes #5118.

    • [fernando] - exim-4.82.1. Fixes #5116.

    • [fernando] - gnome-calculator-3.12.2. Fixes #5115.

    • [fernando] - gedit-3.12.2. Fixes #5114.

    • [fernando] - xscreensaver-5.27. Fixes #5112.

    • [bdubbs] - Update to bluz-5.19. Bootscripts updated. Fixes #5083.

  • May 28th, 2014

    • [fernando] - Fix transmission-2.83 to build with Qt-4.8.6. Thanks to e5g6s. Final fix to #5080.

    • [fernando] - xkeyboard-config-2.12. Fixes #5110.

    • [fernando] - libogg-1.3.2. Fixes #5109.

    • [fernando] - mpg123-1.20.0. Fixes #5108.

    • [fernando] - cups-1.7.3. Fixes #5107.

    • [fernando] - Python-3.4.1. Fixes #5113.

  • May 27th, 2014

    • [fernando] - Fixes to install-tl-unx, Imlib2-1.4.6 and gnash-0.8.10.

    • [fernando] - pygobject-3.12.2. Fixes #5106.

    • [fernando] - whois_5.1.3. Fixes #5105.

    • [fernando] - gdk-pixbuf-2.30.8. Fixes #5104.

  • May 26th, 2014

    • [bdubbs] - Update to sendmail-8.14.9. Fixes Fixes #5095.

    • [ken] - Update fstab details / explanation for nfs clients. Fixes #5041.

    • [ken] - Second attempt at fixes for both versions of gst-plugins-base with gcc-4.9.0 on i686. Marked as "nodump" in the xml to avoid using it in other situations. 1.2.4 works, 0.10.36 compiles but I am unable to get sound, only video - the problem might be elsewhere in the 0.10 gstreamer packages.

    • [ken] - Second attempt at a fix for lame with gcc-4.9.0 on i686. Marked as "nodump" in the xml to avoid using it in other situations.

    • [fernando] - Fix to Doxygen-1.8.7.

    • [fernando] - webkitgtk-2.4.3. Fixes #5103.

    • [fernando] - ImageMagick-6.8.9-1. Fixes #5065.

    • [fernando] - libtasn1-3.6. Fixes #5102.

  • May 25th, 2014

    • [fernando] - Fixes to Gimp-2.8.10 and Transmission-2.83.

    • [fernando] - curl-7.37.0. Fixes #5094.

    • [fernando] - gnumeric-1.12.16. Fixes #5101.

    • [fernando] - goffice-0.10.16. Fixes #5098.

    • [fernando] - poppler-0.26.1. Fixes #5100.

    • [fernando] - qt-5.3.0. Fixes #5082.

    • [pierre] - Update to Mariadb-10.0.11. Fixes #5063.

  • May 24th, 2014

    • [fernando] - Fixes to seahorse-3.12.2 (for desktop file) and, thanks to Wayne B., to WebKitGTK+-2.4.2 (gtk+2 dependency).

    • [fernando] - elfutils-0.159. Fixes #5088.

    • [fernando] - transmission-2.83. Fixes #5080.

    • [fernando] - gpgme-1.5.0. Fixes #5097.

    • [fernando] - colord-1.2.1. Fixes #5099.

    • [ken] - Update to firefox/xulrunner 29.0.1. Fixes #4886 and #5044.

    • [pierre] - Update to talloc-2.1.1. Fixes #5089.

  • May 23rd, 2014

    • [bdubbs] - Update to xfsprogs-3.2.0. Fixes #5073.

    • [ken] - Update to postfix-2.11.1. Fixes #5048.

    • [fernando] - gutenprint-5.2.10. Fixes #5079.

    • [bdubbs] - Update to bind-9.10.0. Fixes #5014.

    • [pierre] - Update to NASM-2.11.05. Fixes #5096.

  • May 21st, 2014

    • [bdubbs] - Update to xf86-input-synaptics-1.8.0. Fixes #5070.

    • [bdubbs] - Update to xf86-input-evdev-2.9.0 and add libevdev-1.2.1. Fixes #5086.

    • [fernando] - SGMLSpm-1.1: Fix URL. Fixes #5090.

    • [fernando] - webkitgtk-2.4.2. Fixes #5059.

    • [fernando] - x264-20140519-2245. Fixes #5084.

    • [fernando] - xdg-utils-1.1.0-rc2. Fixes #4811.

    • [fernando] - Updates to gnome-desktop-3.12.2, gtksourceview-3.12.2, vte-0.36.2, cheese-3.12.2, eog-3.12.2, epiphany-3.12.1, nautilus-3.12.2, file-roller-3.12.2, gnome-system-monitor-3.12.2, gnome-terminal-3.12.2, gucharmap-3.12.1, and seahorse-3.12.2. Fixes #5060.

    • [bdubbs] - Update to MesaLib-10.1.4. Fixes #5085.

    • [pierre] - Vim: remove vim-lang instructions, add multibyte support and GTK+2 as a recommended dependency.

    • [fernando] - Archive-Zip: Fix URL. Partially fixes #5090.

    • [fernando] - lm_sensors-3.3.5: Remove ftp URL and add one patch for fancontrol and for sensors.conf.default. Fixes #5091.

    • [fernando] - Archive (comment out) XML::Parser. Fixes #5092.

    • [fernando] - Fcron-3.1.3 (remove not working ftp) gegl-0.2.0 and babl-0.1.10 (fix URL's). Fixes #5093.

  • May 20th, 2014

    • [bdubbs] - Update to llvm-3.4.1. Fixes Fixes #5045.

    • [bdubbs] - Archive farstream. Addresses Fixes #5028.

    • [bdubbs] - Correct alsa-lib doc directory. Fixes Fixes #5075.

  • May 19th, 2014

    • [pierre] - Fix building of kdelibs with giflib-5.1.0 Fixes #5078.

  • May 18th, 2014

    • [fernando] - Fix Polkit-0.112 and Colord-1.2.0 to build without systemd.

    • [fernando] - gnome-keyring-3.12.2. Partially fixes #5060.

    • [fernando] - gcr-3.12.2. Partially fixes #5060.

    • [fernando] - gsettings-desktop-schemas-3.12.2. Partially fixes #5060.

    • [fernando] - gtk+-3.12.2. Fixes #5061.

    • [pierre] - Fix imlib2 and libwebp for building with giflib-5.1.0. Fixes #5076 and #5077.

  • May 17th, 2014

    • [ken] - Reinstate system boost and icu switches in libreoffice, thanks to Christopher Gregory for noticing.

    • [fernando] - Revert unnecessary revision 13047 "Help Lua-5.2.3 to find Ncurses-5.9 for Readline-6.3".

    • [fernando] - libatomic_ops-7.4.2. Fixes #5074.

    • [fernando] - libffi-3.1. Fixes #5058.

    • [fernando] - fcron-3.1.3. Fixes #5057.

    • [fernando] - libXfont-1.4.8. Fixes #5069.

    • [pierre] - Update to proftpd-1.3.5. Fixes #5071.

    • [pierre] - Update to giflib-5.1.0. Fixes #5072.

  • May 16th, 2014

    • [bdubbs] - Update to Net::DNS-0.75. Fixes #5054.

    • [bdubbs] - Update to subversion-1.8.9. Fixes #5068.

    • [pierre] - Update to git-1.9.3. Fixes #5047.

    • [pierre] - Update to dovecot-2.2.13. Fixes #5056.

  • May 15th, 2014

    • [pierre] - Update to apache-ant-1.9.4 and rearrange java pages. Fixes #5032.

  • May 14th, 2014

    • [bdubbs] - Update to shadow-4.2.1. Fixes #4989.

    • [bdubbs] - Update to sudo-1.8.10p3. Fixes #5055.

  • May 13th, 2014

    • [bdubbs] - Update to libnice-0.1.7. Fixes #4778.

    • [bdubbs] - Update to nasm-2.11.04. Fixes #5031.

    • [bdubbs] - Update to xf86-video-intel-2.99.911.

    • [bdubbs] - Update to xf86-input-evdev-2.8.4. Fixes #5051.

    • [bdubbs] - Update to xf86-input-synaptics-1.7.6. Fixes #5062.

    • [bdubbs] - Update to libva-1.3.1/libva-intel-driver-1.3.1. Fixes #5052 and #5053.

  • May 12th, 2014

    • [bdubbs] - Update to MesaLib-10.1.3. Fixes #5029.

    • [bdubbs] - Update udev-extras to use eudev.

    • [bdubbs] - Restore full dbus build to the book. Update to dbus-1.8.2. Fixes #5015

  • May 10th, 2014

    • [fernando] - Fixes to GCC-4.9.0 (thanks Armin K. for the patch), Grilo-0.2.10, Gedit-3.12.1 and Totem-3.12.1.

    • [fernando] - qt-4.8.6. Fixes #5010.

    • [fernando] - ffmpeg-2.2.2. Fixes #5027.

    • [fernando] - lxpanel-0.6.2. Fixes #5049.

    • [fernando] - thunderbird-24.5.0. Fixes #5002.

    • [fernando] - gvfs-1.20.2. Fixes #5050.

    • [fernando] - ruby-2.1.2. Fixes #5043.

    • [fernando] - raptor2-2.0.14. Fixes #5033.

  • May 9th, 2014

    • [fernando] - seamonkey-2.26. Fixes #5023.

    • [fernando] - gdb-7.7.1. Fixes #5030.

    • [fernando] - unrarsrc-5.1.5. Fixes #5034.

    • [fernando] - gnutls-3.3.2. Fixes #5036.

    • [fernando] - nss-3.16.1. Fixes #5038.

    • [fernando] - nspr-4.10.5. Fixes #5035.

  • May 8th, 2014

    • [fernando] - Fix DoS vulnerability in the GIF image handler affecting Qt-4.8.5 and Qt-5.2.1 and several previous and more recent versions. Fixes #5040.

    • [ken] - Patch libreoffice- to build against system icu. Fixes #5016.

    • [ken] - Patch texlive-20130530 to build against poppler-0.26. Fixes #5039.

  • May 6th, 2014

    • [ken] - firefox/xulrunner 29.0. Fixes #5001.

  • May 4th, 2014

    • [fernando] - Fixes to colord-1.2.0 and ConsoleKit-0.4.6.

    • [fernando] - libdrm-2.4.54. Fixes #5024.

    • [fernando] - serf-1.3.5. Fixes #4998.

    • [fernando] - screen-4.2.1. Fixes #4999.

    • [fernando] - rxvt-unicode-9.20. Fixes #4995.

    • [fernando] - xterm-304. Fixes #5026.

    • [fernando] - whois_5.1.2. Fixes #5025.

    • [fernando] - mercurial-3.0. Fixes #5018.

    • [fernando] - openjpeg-1.5.2. Fixes #5009.

    • [fernando] - iso-codes-3.53. Fixes #5020.

    • [fernando] - libtasn1-3.5. Fixes #5021.

    • [fernando] - totem-3.12.1. Fixes #5013.

  • May 3rd, 2014

    • [bdubbs] - Updated to xf86-input-synaptics-1.7.5. Fixes #5006.

    • [bdubbs] - Updated to xf86-input-evdev-2.8.3. Fixes #5004.

  • May 2nd, 2014

    • [pierre] - php-5.5.12. Fixes #5019.

    • [fernando] - Fixes to grilo-plugins-0.2.12, gst-plugins-base-0.10.36 and midori-0.5.8.

    • [fernando] - libass-0.11.2. Fixes #4994.

    • [fernando] - gnumeric-1.12.15. Fixes #5012.

    • [fernando] - goffice-0.10.15. Fixes #5011.

    • [fernando] - harfbuzz-0.9.28. Fixes #5005.

    • [fernando] - libgtop-2.30.0. Fixes #5003.

    • [fernando] - unrar-5.1.4. Fixes #5007.

  • May 1st, 2014

    • [pierre] - Patch CUPS in order to remove dependency on Avahi.

  • April 29th, 2014

    • [fernando] - Fixes to build lame-3.99.5 and gst-plugins-base-1.2.4 with gcc-4.9.0. Minor fixes to libdvdread-4.9.9 and nautilus-3.12.0.

    • [fernando] - gnome-terminal-3.12.1. Fixes #4996.

    • [fernando] - vte-0.36.1. Fixes #4997.

    • [pierre] - Remove unneeded flags for compiling GCC-4.9.0 and correct test instructions.

    • [pierre] - Update to GCC-4.9.0. Fixes #4986.

  • April 28th, 2014

    • [bdubbs] - Synchronize udev extras with LFS.

    • [bdubbs] - Add references to dbus-launch to window managers.

    • [bdubbs] - Remove XML::Parser from perl modules.

    • [bdubbs] - Archive acl, attr, intltool, expat, gperf.

    • [bdubbs] - Synchronize libcap with LFS.

    • [bdubbs] - Synchronize D-Bus with LFS. Also fixes #4977.

  • April 27th, 2014

    • [fernando] - cups-filters-1.0.53. Fixes #4993.

    • [fernando] - Fixes to Inkscape-0.48.4, Cairo-1.12.16, Poppler-0.26.0 and Ruby-2.1.1. Thanks Igor Z and Armin K.

  • April 24th, 2014

    • [fernando] - poppler-0.26.0. Fixes #4992.

    • [fernando] - network-manager-applet- Fixes #4990.

    • [fernando] - NetworkManager- Fixes #4991.

  • April 24th, 2014

    • [fernando] - tree-1.7.0. Fixes #4988.

    • [fernando] - unrar-5.1.3. Fixes #4987.

    • [fernando] - wireshark-1.10.7. Fixes #4985.

    • [fernando] - audacious-3.5. Fixes #4984.

  • April 22nd, 2014

    • [fernando] - Fontsproto-2.1.3 breaks libXfont-1.4.7 - upstream fix. Thanks Armin K. for pointing to the upstream patch. Fixes #4982.

    • [fernando] - Fontsproto-2.1.3 breaks libXfont-1.4.7. Thanks Miklos K. Fixes #4982.

    • [fernando] - bluefish-2.2.6. Fixes #4983.

  • April 21st, 2014

    • [fernando] - MesaLib-10.1.1. Fixes #4976.

    • [fernando] - WebKitGTK+ 2.4.1. Fixes #4956.

    • [bdubbs] - Updated to doxygen-1.8.7. Fixes #4980

    • [fernando] - gstreamer-1.2.4 and plugins, including gst-libav-1.2.4. Fixes #4975

    • [fernando] - gnutls-3.3.1: fixes to build with guile and for the test suite.

    • [fernando] - gnutls-3.3.1. Fixes #4979.

    • [fernando] - apr-1.5.1. Fixes #4978.

  • April 20th, 2014

    • [rthomsen] - Add Ruby as dependency for Qt 5.

    • [fernando] - Updated to libreoffice- Fixes #4931.

  • April 19th, 2014

    • [pierre] - OpenJDK- Fixes #4966.

    • [fernando] - nmap-6.46. Fixes #4974.

    • [fernando] - xproto-7.0.26. Fixes #4963.

    • [fernando] - fontsproto-2.1.3. Fixes #4962.

  • April 18th, 2014

    • [bdubbs] - Updated to qemu-2.0.0. Fixes #4973.

  • April 17th, 2014

    • [bdubbs] - Updated to libiodbc-3.52.9. Fixes #4968.

    • [bdubbs] - Updated to libdvdread-4.9.9. Fixes #4955.

    • [bdubbs] - Updated to xine-lib-1.2.5. Fixes #4929.

    • [bdubbs] - Updated to libjpeg-turbo-1.3.1. Fixes #4970.

    • [bdubbs] - Updated to libgpg-error-1.13. Fixes #4967.

    • [bdubbs] - Updated to samba-4.1.7. Fixes #4972.

    • [fernando] - gnome-system-monitor-3.12.1. Partially fixes #4958.

    • [fernando] - file-roller-3.12.1. Partially fixes #4958.

    • [fernando] - evince-3.12.1. Partially fixes #4958.

    • [fernando] - eog-3.12.1. Partially fixes #4958.

    • [fernando] - cheese-3.12.1. Partially fixes #4958.

    • [fernando] - baobab-3.12.1. Partially fixes #4958.

    • [fernando] - gnome-desktop-3.12.1. Partially fixes #4958.

    • [fernando] - at-spi2-atk-2.12.1. Fixes #4960.

    • [fernando] - clutter-1.18.2. Fixes #4961.

    • [pierre] - Update to Icedtea-web-1.5. Fixes #4923.

    • [rthomsen] - Updated to akonadi-1.12.1.

    • [rthomsen] - Updated to KDE-4.13.0. Three new packages were added: kfilemetadata, baloo and baloo-widgets. Fixes #4751.

    • [rthomsen] - Added xapian-1.2.17. Required dependency of Baloo.

  • April 16th, 2014

    • [fernando] - gedit-3.12.1. Partially fixes #4892.

    • [fernando] - gtksourceview-3.12.1. Partially fixes #4892.

    • [fernando] - gjs-1.40.1. Fixes #4959.

    • [fernando] - glib-networking-2.40.1. Fixes #4964.

    • [fernando] - pygobject-3.12.1. Fixes #4965.

    • [bdubbs] - Updated to sg3_utils-1.38. Fixes #4894.

    • [bdubbs] - Updated to acpid-2.0.22. Fixes #4808.

    • [bdubbs] - Updated to json-c-0.12. Fixes #4938.

    • [bdubbs] - Updated to autofs-5.0.9. Fixes #4892.

    • [bdubbs] - Added patch to lxpanel to fix handling of .desktop files. Fixes #4915.

    • [bdubbs] - Updated to mariadb-10.0.10. Fixes #4883.

    • [bdubbs] - Archived mysql. Fixes #4899.

  • April 15th, 2014

    • [bdubbs] - stunnel-5.00. Fixes #4770.

    • [fernando] - xvid-1.3.3. Fixes #4948.

    • [fernando] - graphviz-2.38.0. Fixes #4953.

    • [fernando] - xorg-server-1.15.1. Fixes #4952.

    • [fernando] - gtkmm-3.12.0. Fixes #4951.

    • [fernando] - glibmm-2.40.0. Fixes #4954.

    • [fernando] - gnumeric-1.12.14. Fixes #4949.

    • [fernando] - goffice-0.10.14. Fixes #4950.

  • April 14th, 2014

    • [bdubbs] - qemu-1.7.1. Fixes #4873.

  • April 13th, 2014

    • [fernando] - Add fc-cache to instructions for font install in ghostscript-9.14.

    • [fernando] - bluez-5.18. Fixes #4946.

    • [fernando] - gvfs-1.20.1. Fixes #4941.

    • [fernando] - gtk+-3.12.1. Fixes #4945.

    • [fernando] - nmap-6.45. Fixes #4943.

    • [fernando] - ImageMagick-6.8.9-0. Fixes #4942.

    • [pierre] - Update to Icedtea-2.4.6. Fixes #4897.

    • [pierre] - Promote avahi to required dependency for CUPS-1.7.2. Fixes #4944.

  • April 12th, 2014

    • [fernando] - gnutls-3.3.0. Fixes #4940.

    • [fernando] - libdrm-2.4.53. Fixes #4937.

    • [fernando] - cups-1.7.2. Fixes #4936.

    • [fernando] - icu-53.1. Fixes #4889.

    • [fernando] - LVM2.2.02.106. Fixes #4939.

  • April 11th, 2014

    • [fernando] - Remove two items from 'Command Explanations' of Fcron-3.1.2: autoconf and --with-dsssl-dir=/usr/share/sgml/docbook/dsssl-stylesheets-1.79.

  • April 10th, 2014

    • [fernando] - gnome-calculator-3.12.1. Fixes #4934.

    • [fernando] - xfburn-0.5.2. Fixes #4933.

    • [fernando] - iso-codes-3.52. Fixes #4891.

    • [fernando] - git-1.9.2. Fixes #4935.

    • [fernando] - ffmpeg-2.2.1. Fixes #4932.

  • April 9th, 2014

    • [ken] - postgresql-9.3.4. Fixes #4840.

    • [fernando] - xf86-video-vmware-13.0.2. Fixes #4906.

    • [fernando] - xf86-input-wacom-0.24.0. Fixes #4905.

    • [fernando] - xrandr-1.4.2. Fixes #4904.

    • [fernando] - xauth-1.0.9. Fixes #4903.

    • [fernando] - xtrans-1.3.4. Fixes #4902.

    • [fernando] - shared-mime-info-1.3. Fixes #4930.

    • [ken] - xine-ui-0.99.8. Fixes #4790 and #4921.

  • April 8th, 2014

    • [fernando] - mc-4.8.12. Fixes #4893.

    • [fernando] - pcre-8.35. Fixes #4920.

    • [fernando] - util-macros-1.19.0. Fixes #4901.

    • [fernando] - cups-filters-1.0.52. Fixes #4922.

    • [fernando] - gnutls-3.2.13. Fixes #4925.

    • [fernando] - openssl-1.0.1g. Fixes #4924.

  • April 7th, 2014

    • [fernando] - colord-1.2.0. Fixes #4918.

    • [fernando] - mercurial-2.9.2. Fixes #4895.

    • [fernando] - unrarsrc-5.1.2. Fixes #4919.

    • [fernando] - giflib-5.0.6. Fixes #4890.

    • [fernando] - xmlto-0.0.26. Fixes #4917.

  • April 6th, 2014

    • [fernando] - Midori-0.5.8. Fixes #4908.

    • [fernando] - cups-filters-1.0.51. Fixes #4909.

    • [fernando] - nss-3.16. Fixes #4910.

    • [fernando] - network-manager-applet- Fixes #4907.

    • [fernando] - NetworkManager- Fixes #4898.

  • April 5th, 2014

    • [pierre] - PHP-5.5.11. Fixes #4896.

    • [pierre] - SQLite- Fixes #4900.

  • April 4th, 2014

    • [ken] - nfs-utils-1.3.0. Fixes #4870.

    • [fernando] - Fix URLs in Gnome packages, some wrong and some to use 'gnome-minor' entity.

    • [fernando] - Update to totem-3.12.0. Fixes #4862.

    • [fernando] - Update to gnome-system-monitor-3.12.0. Partially fixes #4862.

  • April 3rd, 2014

    • [fernando] - Update to gnome-terminal-3.12.0. Partially fixes #4862.

    • [fernando] - Update to nautilus-3.12.0. Partially fixes #4862.

    • [fernando] - Update to gnome-screenshot-3.12.0. Partially fixes #4862.

    • [fernando] - Update to gnome-calculator-3.12.0. Partially fixes #4862.

    • [fernando] - Update to file-roller-3.12.0. Partially fixes #4862.

    • [fernando] - Update to evince-3.12.0. Partially fixes #4862.

    • [fernando] - Update to epiphany-3.12.0. Partially fixes #4862.

    • [fernando] - Update to cheese-3.12.0. Partially fixes #4862.

    • [fernando] - Update to baobab-3.12.0. Partially fixes #4862.

    • [fernando] - Archive gnome-power-manager-3.10.1. Fixes #4888.

    • [fernando] - Add new package appdata-tools-0.1.7. Fixes #4887.

  • April 2nd, 2014

    • [fernando] - Update to Gucharmap-3.12.0. Partially fixes #4862.

    • [fernando] - Update to gnome-icon-theme-extras-3.12.0. Partially fixes #4862.

    • [fernando] - Update to gnome-themes-standard-3.12.0. Partially fixes #4862.

    • [fernando] - Update to gnome-icon-theme-symbolic-3.12.0. Partially fixes #4862.

    • [fernando] - Update to vte-0.36.0. Fixes #4865.

    • [fernando] - Update to dconf-0.20.0. Fixes #4864.

    • [fernando] - GLibmm-2.38.1 depends on GnuTLS. Thanks sor__. Fixes #4885.

  • March 31st, 2014

    • [fernando] - Update to eog-3.12.0. Partially fixes #4862.

    • [fernando] - Update to gnome-desktop-3.12.0. Partially fixes #4862.

    • [fernando] - Update to gnome-icon-theme-3.12.0. Partially fixes #4862.

    • [fernando] - Update to libpeas-1.10.0. Fixes #4882.

    • [fernando] - Update to gjs-1.40.0. Fixes #4879.

    • [fernando] - Python-2.7.6 fails to build readline module with Readline version 6.3. Thanks Igor Živković. Fixes #4880.

    • [fernando] - Fix Poppler-0.24.5 to build both, qt4 and 5 libraries. Fixes #4880.

    • [fernando] - Add new package Mozilla JS-24.2.0. Fixes #4500.

  • March 30th, 2014

    • [fernando] - Update to libva-intel-driver-1.3.0. Fixes #4857.

    • [fernando] - Update to libva-1.3.0. Fixes #4856.

    • [fernando] - Update to ghostscript-9.14. Thanks Armin K. for fixing to build with system zlib. Fixes #4867.

    • [fernando] - Add patch to BlueZ-5.17. Thanks Armin K. Fixes to work properly with gnome-bluetooth and_or kde bluedevil. Fixes #3759.

  • March 29th, 2014

    • [fernando] - Update to BlueZ-5.17. Patch from Armin K, thanks. Fixes #3759.

    • [pierre] - Make the Java Binary page versioned, and closer to the layout of other pages.

    • [pierre] - Use the fastCGI process manager for PHP. Fixes #4844.

    • [fernando] - LibreOffice-4.2.2 additional dependencies. Thanks Wayne B. Fixes #4877.

  • March 28th, 2014

    • [fernando] - Update to gedit-3.12.0. Partially fixes #4862.

    • [fernando] - Update to vala-0.24.0. Fixes #4875.

    • [fernando] - Update to gtksourceview-3.12.0. Partially fixes #4862.

    • [fernando] - Update to yelp-xsl-3.12.0. Partially fixes #4862.

    • [fernando] - Update to gtk+-3.12.0. Fixes #4861.

    • [fernando] - Update to gdk-pixbuf-2.30.7. Fixes #4869.

    • [fernando] - Update to json-glib-1.0.0. Fixes #4872.

    • [fernando] - Update to at-spi2-atk-2.12.0. Fixes #4860.

    • [fernando] - Update to at-spi2-core-2.12.0. Fixes #4859.

    • [fernando] - Update to atk-2.12.0. Fixes #4858.

    • [fernando] - Archive PyAtSpi2-2.10.0. Fixes #4853.

    • [fernando] - Update to pygobject-3.12.0. Fixes #4852.

  • March 27th, 2014

    • [fernando] - Update to totem-pl-parser-3.10.2. Fixes #4863.

    • [fernando] - Update to libsoup-2.46.0. Fixes #4855.

    • [fernando] - Update to glib-networking-2.40.0. Fixes #4854.

    • [fernando] - Update to gsettings-desktop-schemas-3.12.0. Partially fixes #4862.

    • [fernando] - Update to gobject-introspection-1.40.0. Fixes #4871.

    • [fernando] - Fix pycairo-1.10.0 to build with python-3.4. Thanks to Wayne B. Fixes #4868.

    • [fernando] - Update to curl-7.36.0. Fixes #4874.

    • [fernando] - Update to cups-filters-1.0.49. Fixes #4866.

  • March 25th, 2014

    • [fernando] - Update to yelp-3.12.0. Partially fixes #4862.

    • [fernando] - Update to WebKitGTK+-2.4.0. Fixes #4849.

    • [fernando] - Update to glib-2.40.0. Fixes #4850.

    • [fernando] - Update to fontconfig-2.11.1. Fixes #4851.

    • [fernando] - Update to ffmpeg-2.2. Fixes #4848.

  • March 24th, 2014

    • [fernando] - Update to seahorse-3.12.0. Fixes #4847.

    • [fernando] - Update to gnome-keyring-3.12.0. Fixes #4846.

    • [fernando] - Update to gcr-3.12.0. Fixes #4845.

    • [fernando] - Update to unbound-1.4.22. Fixes #4794.

  • March 23nd, 2014

    • [fernando] - Update to gvfs-1.20.0. Fixes #4843.

  • March 22nd, 2014

    • [fernando] - Update to clutter-1.18.0. Fixes #4826.

    • [fernando] - Update to cogl-1.18.0. Fixes #4842.

    • [fernando] - Update to guile-2.0.11. Fixes #4841.

    • [pierre] - Update to SWIG-3.0.0. Fixes #4813.

  • March 21st, 2014

    • [pierre] - Fix some Icedtea-Openjdk dependencies, addressing #4839. Thanks to Fernando.

  • March 20th, 2014

    • [fernando] - Update to seamonkey-2.25. Fixes #4833.

    • [fernando] - Update to grilo-plugins-0.2.12. Fixes #4838.

    • [fernando] - Update to grilo-0.2.10. Fixes #4837.

    • [fernando] - Update to libgsf-1.14.30. Fixes #4835.

    • [fernando] - Update to sudo-1.8.10p2. Fixes #4834.

    • [fernando] - Fix icedtea dependencies. Fixes #4839.

    • [fernando] - Update to webkitgtk-2.2.6. Fixes #4829.

  • March 19th, 2014

    • [fernando] - Parted 3.1 fails to build with Readline 6.3. Thanks Armin K. Fixes #4832.

    • [fernando] - Update to gnumeric-1.12.13. Fixes #4821.

    • [fernando] - Update to goffice-0.10.13. Fixes #4823.

    • [fernando] - Update to guile-2.0.10. Fixes #4825.

    • [fernando] - Update to gtk+-2.24.23. Fixes #4827.

    • [fernando] - Update to librsvg-2.40.2. Fixes #4831.

    • [fernando] - Update to pango-1.36.3. Fixes #4828.

    • [fernando] - Update to harfbuzz-0.9.27. Fixes #4830.

    • [fernando] - Update to unrar-5.1.1. Fixes #4824.

    • [fernando] - Update to Git-1.9.1. Fixes #4820.

    • [ken] - minor re-ordering of firefox and xulrunner mozconfigs to put the new pulse option above the 'recommended not to touch anything below this' line.

  • March 18th, 2014

    • [fernando] - Update to thunderbird-24.4.0. Fixes #4819.

    • [fernando] - Update to xulrunner-28.0/firefox-28.0 and firefox-28.0-standalone. Fixes #4818.

  • March 17th, 2014

    • [fernando] - Several small fixes to Apr-Util-1.5.3, UPower-0.9.23 and Avahi-0.6.3 (thanks Armin K. for discussions).

    • [fernando] - Update to x264-20140316-2245. Fixes #4732.

    • [fernando] - Update to libFS-1.0.6. Fixes #4817.

    • [fernando] - Update to lcms2-2.6. Fixes #4816.

    • [fernando] - Update to Python-3.4.0. Fixes #4815. Thanks Armin K. for discussions.

    • [fernando] - Update to httpd-2.4.9. Fixes #4814.

  • March 16th, 2014

    • [fernando] - Update to libatomic_ops-7.4.0. Fixes #4812.

    • [fernando] - Ruby-2.1.1 fails to build with Readline-6.3. Thanks Armin K. Fixes #4810.

    • [fernando] - Update to ssh-askpass-6.6p1. Fixes #4809.

    • [fernando] - Update to openssh-6.6p1. Fixes #4807.

    • [fernando] - Update to sudo-1.8.10p1. Fixes #4806.

    • [bdubbs] - Add haveged. Fixes #4682.

    • [pierre] - Add Pax-070715. Fixes #4736.

    • [fernando] - Update to MariaDB-10.0.9. Fixes #4779.

    • [fernando] - PCRE-8.34: build and security fixes for MariaDB-10.0.9. Thanks Bruce Dubbs.

  • March 15th, 2014

    • [ken] - mutt-1.5.23. Fixes #4795.

    • [bdubbs] - Added valgrind-3.9.0. Fixes #4724.

    • [fernando] - Ristretto-0.6.3, Thunar-1.6.3 and xfce4-power-manager-1.2.0: include some dependencies.

    • [fernando] - Update to xf86-input-synaptics-1.7.4. Fixes #4802.

    • [fernando] - Update to PulseAudio 5.0. Fixes #4667.

    • [fernando] - Update to tumbler-0.1.30. Fixes #4786.

    • [fernando] - Update to garcon-0.3.0. Fixes #4785.

    • [fernando] - Update to dhcpcd-6.3.2. Fixes #4805.

  • March 14th, 2014

    • [fernando] - Update to mtdev-1.1.5. Fixes #4774.

    • [fernando] - Update to udisks-1.0.5. Fixes #4775.

    • [fernando] - Update to PHP 5.5.10. Fixes #4757.

    • [fernando] - Update to xcb-util-wm-0.4.1. Fixes #4728.

    • [fernando] - Update to scons-2.3.1. Fixes #4777.

    • [fernando] - Update to libreoffice- Fixes #4804. Fix typo, thanks stoat, #4796.

  • March 13th, 2014

    • [fernando] - Update to xfburn-0.5.0. Fixes #4726.

    • [fernando] - Update to nss-3.15.5. Fixes #4799.

    • [fernando] - Update to nspr-4.10.4. Fixes #4800.

    • [fernando] - Update to sqlite- Fixes #4798.

    • [fernando] - Update to libpng-1.6.10. Fixes #4797.

  • March 12th, 2014

    • [fernando] - Archive LXShortcut-0.1.2. Fixes #4793.

    • [fernando] - Update to Samba 4.1.6. Fixes #4792.

    • [fernando] - Update to pcmanfm-1.2.0. Fixes #4705.

    • [fernando] - Update to libfm-1.2.0. Fixes #4704.

    • [fernando] - Update to cups-filters-1.0.48. Fixes #4791.

    • [fernando] - Update to mpg123-1.19.0. Fixes #4789.

    • [fernando] - Update to gnome-video-effects-0.4.1. Fixes #4784.

    • [fernando] - Update to libsecret-0.18. Fixes #4783.

  • March 11th, 2014

    • [pierre] - Add the time utility, as required by the LSB. Partially fulfills #4736.

    • [fernando] - Update to udisks-2.1.3. Fixes #4776.

    • [fernando] - Update to gmime-2.6.20. Fixes #4773.

    • [fernando] - Update to ed-1.10. Fixes #4772.

    • [fernando] - Update to sudo-1.8.10. Fixes #4771.

    • [fernando] - Update to sqlite-3.8.4. Fixes #4768.

  • March 10th, 2014

    • [fernando] - Update to samba-4.1.5. Fixes #4730.

    • [fernando] - Update to MesaLib-10.1.0. Fixes #4753.

    • [fernando] - Update to Python-3.3.5. Fixes #4766.

    • [fernando] - Update to Lynx 2.8.8rel.2. Fixes #4765.

    • [bdubbs] - Update to gptfdisk-10.8.10. Fixes #4716.

    • [fernando] - Update to libreoffice-4.2.1. Fixes #4717.

    • [bdubbs] - Changed the location of Certificate Authority Certificates to an automated location on a LFS/BLFS server. Fixes #4758.

  • March 9th, 2014

    • [fernando] - Update to libisoburn-1.3.6. Fixes #4756.

    • [fernando] - Update to libburn-1.3.6. Fixes #4755.

    • [fernando] - Update to libisofs-1.3.6. Fixes #4754.

    • [fernando] - Update to Berkeley DB 6.0.30. Fixes #4763.

    • [fernando] - Update to mercurial-2.9.1. Fixes #4762.

    • [rthomsen] - Update to NTFS-3g 2014.2.15. Fixes #4747.

    • [fernando] - Update to WebKitGTK+ 2.2.5. Fixes #4703.

  • March 8th, 2014

    • [fernando] - Update to dhcpcd-6.3.1. Fixes #4741.

    • [fernando] - Update to keyutils-1.5.9. Fixes #4746.

    • [fernando] - Update to libass-0.11.1. Fixes #4712.

    • [fernando] - Update to rasqal-0.9.32. Fixes #4742.

    • [fernando] - Update to xterm-303. Fixes #4752.

    • [fernando] - Update to freetype-2.5.3. Fixes #4759.

    • [fernando] - Update to ffmpeg-2.1.4. Fixes #4738.

    • [fernando] - Update to grilo-plugins-0.2.11. Fixes #4701.

    • [fernando] - Update to grilo-0.2.9. Fixes #4700.

    • [fernando] - Update to totem-pl-parser-3.10.1. Fixes #4702.

  • March 7th, 2014

    • [fernando] - Update to wireshark-1.10.6. Fixes #4761.

    • [fernando] - Update to nasm-2.11.02. Fixes #4715.

    • [fernando] - Update to Subversion 1.8.8. Fixes #4729.

    • [fernando] - Update to ruby-2.1.1. Fixes #4739.

    • [fernando] - Update to vlc-2.1.4. Fixes #4734.

    • [fernando] - Update to mpg123-1.18.1. Fixes #4709.

    • [fernando] - Update to hicolor-icon-theme-0.13. Fixes #4707.

    • [fernando] - Update to gparted-0.18.0. Fixes #4713.

    • [fernando] - Update to cups-filters-1.0.46. Fixes #4735.

    • [fernando] - Update to yelp-3.10.2. Fixes #4750.

    • [ken] - Reinstate CFLAGS in cyrus-sasl so that it will build on x86_64.

  • March 6th, 2014

    • [pierre] - Add a sed to LVM2, to allow building with the new version of readline (6.3).

    • [fernando] - Update to gnumeric-1.12.12. Fixes #4696.

    • [fernando] - Update to goffice-0.10.12. Fixes #4706.

    • [fernando] - Update to gdk-pixbuf-2.30.6. Fixes #4698.

    • [fernando] - Update to gtk-doc-1.20. Fixes #4695.

  • March 5th, 2014

    • [ken] - gnutls- Fixes #4748.

    • [bdubbs] - Release of BLFS-7.5.

Last updated on 2014-09-22 16:47:23 -0700

Mailing Lists

The server is hosting a number of mailing lists that are used for the development of the BLFS book. These lists include, among others, the main development and support lists.

For more information regarding which lists are available, how to subscribe to them, archive locations, etc., visit

Last updated on 2007-04-04 12:42:53 -0700


The BLFS Project has created a Wiki for users to comment on pages and instructions at Comments are welcome from all users.

The following are the rules for posting:

  • Users must register and log in to edit a page.

  • Suggestions to change the book should be made by creating a new ticket, not by making comments in the Wiki.

  • Questions with your specific installation problems should be made by subscribing and mailing to the BLFS Support Mailing List at mailto:blfs-support AT linuxfromscratch D0T org.

  • Discussions of build instructions should be made by subscribing and mailing to the BLFS Development List at mailto:blfs-dev AT linuxfromscratch D0T org.

  • Inappropriate material will be removed.

Last updated on 2007-04-04 12:42:53 -0700

Asking for Help and the FAQ

If you encounter a problem while using this book, and your problem is not listed in the FAQ (, you will find that most of the people on Internet Relay Chat (IRC) and on the mailing lists are willing to help you. An overview of the LFS mailing lists can be found in Mailing lists. To assist us in diagnosing and solving your problem, include as much relevant information as possible in your request for help.

Things to Check Prior to Asking

Before asking for help, you should review the following items:

  • Is the hardware support compiled into the kernel or available as a module to the kernel? If it is a module, is it configured properly in modprobe.conf and has it been loaded? You should use lsmod as the root user to see if it's loaded. Check the sys.log file or run modprobe <driver> to review any error message. If it loads properly, you may need to add the modprobe command to your boot scripts.

  • Are your permissions properly set, especially for devices? LFS uses groups to make these settings easier, but it also adds the step of adding users to groups to allow access. A simple usermod -G audio <user> may be all that's necessary for that user to have access to the sound system. Any question that starts out with “It works as root, but not as ...” requires a thorough review of permissions prior to asking.

  • BLFS liberally uses /opt/<package>. The main objection to this centers around the need to expand your environment variables for each package placed there (e.g., PATH=$PATH:/opt/kde/bin). In most cases, the package instructions will walk you through the changes, but some will not. The section called “Going Beyond BLFS” is available to help you check.

Things to Mention

Apart from a brief explanation of the problem you're having, the essential things to include in your request are:

  • the version of the book you are using (being 7.6),

  • the package or section giving you problems,

  • the exact error message or symptom you are receiving,

  • whether you have deviated from the book or LFS at all,

  • if you are installing a BLFS package on a non-LFS system.

(Note that saying that you've deviated from the book doesn't mean that we won't help you. It'll just help us to see other possible causes of your problem.)

Expect guidance instead of specific instructions. If you are instructed to read something, please do so. It generally implies that the answer was way too obvious and that the question would not have been asked if a little research was done prior to asking. The volunteers in the mailing list prefer not to be used as an alternative to doing reasonable research on your end. In addition, the quality of your experience with BLFS is also greatly enhanced by this research, and the quality of volunteers is enhanced because they don't feel that their time has been abused, so they are far more likely to participate.

An excellent article on asking for help on the Internet in general has been written by Eric S. Raymond. It is available online at Read and follow the hints in that document and you are much more likely to get a response to start with and also to get the help you actually need.

Last updated on 2009-09-24 22:43:37 -0700


Many people have contributed both directly and indirectly to BLFS. This page lists all of those we can think of. We may well have left people out and if you feel this is the case, drop us a line. Many thanks to all of the LFS community for their assistance with this project.

Current Editors

  • Fernando de Oliveira

  • Bruce Dubbs

  • Ken Moffat

  • Ragnar Thomsen

  • Igor Živković

Contributors and Past Editors

The list of contributors is far too large to provide detailed information about the contributions for each contributor. Over the years, the following individuals have provided significant inputs to the book:

  • Timothy Bauscher

  • Daniel Bauman

  • Jeff Bauman

  • Andy Benton

  • Wayne Blaszczyk

  • Paul Campbell

  • Nathan Coulson

  • Jeroen Coumans

  • Guy Dalziel

  • Robert Daniels

  • Richard Downing

  • Manuel Canales Esparcia

  • Jim Gifford

  • Manfred Glombowski

  • Ag Hatzimanikas

  • Mark Hymers

  • James Iwanek

  • David Jensen

  • Jeremy Jones

  • Seth Klein

  • Alex Kloss

  • Eric Konopka

  • Larry Lawrence

  • DJ Lucas

  • Chris Lynn

  • Randy McMurchy

  • Andrew McMurry

  • Denis Mugnier

  • Billy O'Connor

  • Alexander Patrakov

  • Olivier Peres

  • Andreas Pedersen

  • Henning Rohde

  • Matt Rogers

  • James Robertson

  • Henning Rohde

  • Chris Staub

  • Jesse Tie-Ten-Quee

  • Thomas Trepl

  • Tushar Teredesai

  • Jeremy Utley

  • Zack Winkles

  • Christian Wurst

General Acknowledgments

  • Fernando Arbeiza

  • Miguel Bazdresch

  • Gerard Beekmans

  • Oliver Brakmann

  • Jeremy Byron

  • Ian Chilton

  • David Ciecierski

  • Jim Harris

  • Lee Harris

  • Marc Heerdink

  • Steffen Knollmann

  • Eric Konopka

  • Scot McPherson

  • Ted Riley

Last updated on 2014-08-16 10:01:22 -0700

Contact Information

Please direct your emails to one of the BLFS mailing lists. See Mailing lists for more information on the available mailing lists.

Last updated on 2012-02-05 21:15:51 -0800

Chapter 2. Important Information

This chapter is used to explain some of the policies used throughout the book, to introduce important concepts and to explain some issues you may see with some of the included packages.

Notes on Building Software

Those people who have built an LFS system may be aware of the general principles of downloading and unpacking software. Some of that information is repeated here for those new to building their own software.

Each set of installation instructions contains a URL from which you can download the package. The patches; however, are stored on the LFS servers and are available via HTTP. These are referenced as needed in the installation instructions.

While you can keep the source files anywhere you like, we assume that you have unpacked the package and changed into the directory created by the unpacking process (the 'build' directory). We also assume you have uncompressed any required patches and they are in the directory immediately above the 'build' directory.

We can not emphasize strongly enough that you should start from a clean source tree each time. This means that if you have had an error during configuration or compilation, it's usually best to delete the source tree and re-unpack it before trying again. This obviously doesn't apply if you're an advanced user used to hacking Makefiles and C code, but if in doubt, start from a clean tree.

Building Software as an Unprivileged (non-root) User

The golden rule of Unix System Administration is to use your superpowers only when necessary. Hence, BLFS recommends that you build software as an unprivileged user and only become the root user when installing the software. This philosophy is followed in all the packages in this book. Unless otherwise specified, all instructions should be executed as an unprivileged user. The book will advise you on instructions that need root privileges.

Unpacking the Software

If a file is in .tar format and compressed, it is unpacked by running one of the following commands:

tar -xvf filename.tar.gz
tar -xvf filename.tgz
tar -xvf filename.tar.Z
tar -xvf filename.tar.bz2


You may omit using the v parameter in the commands shown above and below if you wish to suppress the verbose listing of all the files in the archive as they are extracted. This can help speed up the extraction as well as make any errors produced during the extraction more obvious to you.

You can also use a slightly different method:

bzcat filename.tar.bz2 | tar -xv

Finally, you sometimes need to be able to unpack patches which are generally not in .tar format. The best way to do this is to copy the patch file to the parent of the 'build' directory and then run one of the following commands depending on whether the file is a .gz or .bz2 file:

gunzip -v patchname.gz
bunzip2 -v patchname.bz2

Verifying File Integrity Using 'md5sum'

Generally, to verify that the downloaded file is genuine and complete, many package maintainers also distribute md5sums of the files. To verify the md5sum of the downloaded files, download both the file and the corresponding md5sum file to the same directory (preferably from different on-line locations), and (assuming file.md5sum is the md5sum file downloaded) run the following command:

md5sum -c file.md5sum

If there are any errors, they will be reported. Note that the BLFS book includes md5sums for all the source files also. To use the BLFS supplied md5sums, you can create a file.md5sum (place the md5sum data and the exact name of the downloaded file on the same line of a file, separated by white space) and run the command shown above. Alternately, simply run the command shown below and compare the output to the md5sum data shown in the BLFS book.

md5sum <name_of_downloaded_file>

Creating Log Files During Installation

For larger packages, it is convenient to create log files instead of staring at the screen hoping to catch a particular error or warning. Log files are also useful for debugging and keeping records. The following command allows you to create an installation log. Replace <command> with the command you intend to execute.

( <command> 2>&1 | tee compile.log && exit $PIPESTATUS )

2>&1 redirects error messages to the same location as standard output. The tee command allows viewing of the output while logging the results to a file. The parentheses around the command run the entire command in a subshell and finally the exit $PIPESTATUS command ensures the result of the <command> is returned as the result and not the result of the tee command.

Automated Building Procedures

There are times when automating the building of a package can come in handy. Everyone has their own reasons for wanting to automate building, and everyone goes about it in their own way. Creating Makefiles, Bash scripts, Perl scripts or simply a list of commands used to cut and paste are just some of the methods you can use to automate building BLFS packages. Detailing how and providing examples of the many ways you can automate the building of packages is beyond the scope of this section. This section will expose you to using file redirection and the yes command to help provide ideas on how to automate your builds.

File Redirection to Automate Input

You will find times throughout your BLFS journey when you will come across a package that has a command prompting you for information. This information might be configuration details, a directory path, or a response to a license agreement. This can present a challenge to automate the building of that package. Occasionally, you will be prompted for different information in a series of questions. One method to automate this type of scenario requires putting the desired responses in a file and using redirection so that the program uses the data in the file as the answers to the questions.

Building the CUPS package is a good example of how redirecting a file as input to prompts can help you automate the build. If you run the test suite, you are asked to respond to a series of questions regarding the type of test to run and if you have any auxiliary programs the test can use. You can create a file with your responses, one response per line, and use a command similar to the one shown below to automate running the test suite:

make check < ../cups-1.1.23-testsuite_parms

This effectively makes the test suite use the responses in the file as the input to the questions. Occasionally you may end up doing a bit of trial and error determining the exact format of your input file for some things, but once figured out and documented you can use this to automate building the package.

Using yes to Automate Input

Sometimes you will only need to provide one response, or provide the same response to many prompts. For these instances, the yes command works really well. The yes command can be used to provide a response (the same one) to one or more instances of questions. It can be used to simulate pressing just the Enter key, entering the Y key or entering a string of text. Perhaps the easiest way to show its use is in an example.

First, create a short Bash script by entering the following commands:

cat > blfs-yes-test1 << "EOF"

echo -n -e "\n\nPlease type something (or nothing) and press Enter ---> "


if test "$A_STRING" = ""; then A_STRING="Just the Enter key was pressed"
else A_STRING="You entered '$A_STRING'"

echo -e "\n\n$A_STRING\n\n"
chmod 755 blfs-yes-test1

Now run the script by issuing ./blfs-yes-test1 from the command line. It will wait for a response, which can be anything (or nothing) followed by the Enter key. After entering something, the result will be echoed to the screen. Now use the yes command to automate the entering of a response:

yes | ./blfs-yes-test1

Notice that piping yes by itself to the script results in y being passed to the script. Now try it with a string of text:

yes 'This is some text' | ./blfs-yes-test1

The exact string was used as the response to the script. Finally, try it using an empty (null) string:

yes '' | ./blfs-yes-test1

Notice this results in passing just the press of the Enter key to the script. This is useful for times when the default answer to the prompt is sufficient. This syntax is used in the Net-tools instructions to accept all the defaults to the many prompts during the configuration step. You may now remove the test script, if desired.

File Redirection to Automate Output

In order to automate the building of some packages, especially those that require you to read a license agreement one page at a time, requires using a method that avoids having to press a key to display each page. Redirecting the output to a file can be used in these instances to assist with the automation. The previous section on this page touched on creating log files of the build output. The redirection method shown there used the tee command to redirect output to a file while also displaying the output to the screen. Here, the output will only be sent to a file.

Again, the easiest way to demonstrate the technique is to show an example. First, issue the command:

ls -l /usr/bin | more

Of course, you'll be required to view the output one page at a time because the more filter was used. Now try the same command, but this time redirect the output to a file. The special file /dev/null can be used instead of the filename shown, but you will have no log file to examine:

ls -l /usr/bin | more > redirect_test.log 2>&1

Notice that this time the command immediately returned to the shell prompt without having to page through the output. You may now remove the log file.

The last example will use the yes command in combination with output redirection to bypass having to page through the output and then provide a y to a prompt. This technique could be used in instances when otherwise you would have to page through the output of a file (such as a license agreement) and then answer the question of “do you accept the above?”. For this example, another short Bash script is required:

cat > blfs-yes-test2 << "EOF"

ls -l /usr/bin | more

echo -n -e "\n\nDid you enjoy reading this? (y,n) "


if test "$A_STRING" = "y"; then A_STRING="You entered the 'y' key"
else A_STRING="You did NOT enter the 'y' key"

echo -e "\n\n$A_STRING\n\n"
chmod 755 blfs-yes-test2

This script can be used to simulate a program that requires you to read a license agreement, then respond appropriately to accept the agreement before the program will install anything. First, run the script without any automation techniques by issuing ./blfs-yes-test2.

Now issue the following command which uses two automation techniques, making it suitable for use in an automated build script:

yes | ./blfs-yes-test2 > blfs-yes-test2.log 2>&1

If desired, issue tail blfs-yes-test2.log to see the end of the paged output, and confirmation that y was passed through to the script. Once satisfied that it works as it should, you may remove the script and log file.

Finally, keep in mind that there are many ways to automate and/or script the build commands. There is not a single “correct” way to do it. Your imagination is the only limit.


For each package described, BLFS lists the known dependencies. These are listed under several headings, whose meaning is as follows:

  • Required means that the target package cannot be correctly built without the dependency having first been installed.

  • Recommended means that BLFS strongly suggests this package is installed first for a clean and trouble-free build, that won't have issues either during the build process, or at run-time. The instructions in the book assume these packages are installed. Some changes or workarounds may be required if these packages are not installed.

  • Optional means that this package might be installed for added functionality. Often BLFS will describe the dependency to explain the added functionality that will result.

Using the Most Current Package Sources

On occasion you may run into a situation in the book when a package will not build or work properly. Though the Editors attempt to ensure that every package in the book builds and works properly, sometimes a package has been overlooked or was not tested with this particular version of BLFS.

If you discover that a package will not build or work properly, you should see if there is a more current version of the package. Typically this means you go to the maintainer's web site and download the most current tarball and attempt to build the package. If you cannot determine the maintainer's web site by looking at the download URLs, use Google and query the package's name. For example, in the Google search bar type: 'package_name download' (omit the quotes) or something similar. Sometimes typing: 'package_name home page' will result in you finding the maintainer's web site.

Stripping One More Time

In LFS, stripping of debugging symbols was discussed a couple of times. When building BLFS packages, there are generally no special instructions that discuss stripping again. It is probably not a good idea to strip an executable or a library while it is in use, so exiting any windowing environment is a good idea. Then you can do:

find /{,usr/}{bin,lib,sbin} -type f -exec strip --strip-unneeded {} \;

If you install programs in other directories such as /opt or /usr/local, you may want to strip the files there too.

For more information on stripping, see

Libtool files

One of the side effects of packages that use Autotools, including libtool, is that they create many files with an .la extension. These files are not needed in an LFS environment. If there are conflicts with pkgconfig entries, they can actually prevent successful builds. You may want to consider removing these files periodically:

find /lib /usr/lib -not -path "*Image*" -a -name \*.la -delete

The above command removes all .la files with the exception of those that have "Image" as a part of the path. These .la files are used by the ImageMagick programs. There may be other exceptions by packages not in BLFS.

Last updated on 2014-08-24 10:00:46 -0700

The /usr Versus /usr/local Debate

Should I install XXX in /usr or /usr/local?

This is a question without an obvious answer for an LFS based system.

In traditional Unix systems, /usr usually contains files that come with the system distribution, and the /usr/local tree is free for the local administrator to manage. The only really hard and fast rule is that Unix distributions should not touch /usr/local, except perhaps to create the basic directories within it.

With Linux distributions like Red Hat, Debian, etc., a possible rule is that /usr is managed by the distribution's package system and /usr/local is not. This way the package manager's database knows about every file within /usr.

LFS users build their own system and so deciding where the system ends and local files begin is not straightforward. So the choice should be made in order to make things easier to administer. There are several reasons for dividing files between /usr and /usr/local.

  • On a network of several machines all running LFS, or mixed LFS and other Linux distributions, /usr/local could be used to hold packages that are common between all the computers in the network. It can be NFS mounted or mirrored from a single server. Here local indicates local to the site.

  • On a network of several computers all running an identical LFS system, /usr/local could hold packages that are different between the machines. In this case local refers to the individual computers.

  • Even on a single computer, /usr/local can be useful if you have several distributions installed simultaneously, and want a place to put packages that will be the same on all of them.

  • Or you might regularly rebuild your LFS, but want a place to put files that you don't want to rebuild each time. This way you can wipe the LFS file system and start from a clean partition every time without losing everything.

Some people ask why not use your own directory tree, e.g., /usr/site, rather than /usr/local?

There is nothing stopping you, many sites do make their own trees, however it makes installing new software more difficult. Automatic installers often look for dependencies in /usr and /usr/local, and if the file it is looking for is in /usr/site instead, the installer will probably fail unless you specifically tell it where to look.

What is the BLFS position on this?

All of the BLFS instructions install programs in /usr with optional instructions to install into /opt for some specific packages.

Last updated on 2007-04-04 12:42:53 -0700

Optional Patches

As you follow the various sections in the book, you will observe that the book occasionally includes patches that are required for a successful and secure installation of the packages. The general policy of the book is to include patches that fall in one of the following criteria:

  • Fixes a compilation problem.

  • Fixes a security problem.

  • Fixes a broken functionality.

In short, the book only includes patches that are either required or recommended. There is a Patches subproject which hosts various patches (including the patches referenced in the books) to enable you to configure your LFS the way you like it.

Last updated on 2007-04-04 12:42:53 -0700

BLFS Boot Scripts

The BLFS Bootscripts package contains the init scripts that are used throughout the book. It is assumed that you will be using the BLFS Bootscripts package in conjunction with a compatible LFS-Bootscripts package. Refer to ../../../../lfs/view/7.6/chapter07/bootscripts.html for more information on the LFS-Bootscripts package.

The BLFS Bootscripts package will be used throughout the BLFS book for startup scripts. Unlike LFS, each init script has a separate install target in the BLFS Bootscripts package. It is recommended you keep the package source directory around until completion of your BLFS system. When a script is requested from BLFS Bootscripts, simply change to the directory and as the root user, execute the given make install-<init-script> command. This command installs the init script to its proper location (along with any auxiliary configuration scripts) and also creates the appropriate symlinks to start and stop the service at the appropriate run-level.


It is advisable to peruse each bootscript before installation to ascertain that it satisfies your need. Also verify that the start and stop symlinks it creates match your preferences.

Last updated on 2007-04-04 12:42:53 -0700

Libraries: Static or shared?

Libraries: Static or shared?

The original libraries were simply an archive of routines from which the required routines were extracted and linked into the executable program. These are described as static libraries (libfoo.a). On some old operating systems they are the only type available.

On almost all Linux platforms there are also shared libraries ( - one copy of the library is loaded into virtual memory, and shared by all the programs which call any of its functions. This is space efficient.

In the past, essential programs such as a shell were often linked statically so that some form of minimal recovery system would exist even if shared libraries, such as, became damaged (e.g. moved to lost+found after fsck following an unclean shutdown). Nowadays, most people use an alternative system install or a Live CD if they have to recover. Journaling filesystems also reduce the likelihood of this sort of problem.

Developers, at least while they are developing, often prefer to use static versions of the libraries which their code links to.

Within the book, there are various places where configure switches such as --disable-static are employed, and other places where the possibility of using system versions of libraries instead of the versions included within another package is discussed. The main reason for this is to simplify updates of libraries.

If a package is linked to a dynamic library, updating to a newer library version is automatic once the newer library is installed and the program is (re)started (provided the library major version is unchanged, e.g. going from to Going to will require recompilation - ldd can be used to find which programs use the old version). If a program is linked to a static library, the program always has to be recompiled. If you know which programs are linked to a particular static library, this is merely an annoyance. But usually you will not know which programs to recompile.

Most libraries are shared, but if you do something unusual, such as moving a shared library to /lib accidentally breaking the .so symlink in /usr/lib while keeping the static library in /lib, the static library will be silently linked into the programs which need it.

One way to identify when a static library is used, is to deal with it at the end of the installation of every package. Write a script to find all the static libraries in /usr/lib or wherever you are installing to, and either move them to another directory so that they are no longer found by the linker, or rename them so that libfoo.a becomes e.g. libfoo.a.hidden. The static library can then be temporarily restored if it is ever needed, and the package needing it can be identified. You may choose to exclude some of the static libraries from glibc if you do this (libc_nonshared.a, libg.a, libieee.a, libm.a, libpthread_nonshared.a, librpcsvc.a, libsupc++.a) to simplify compilation.

If you use this approach, you may discover that more packages than you were expecting use a static library. That was the case with nettle-2.4 in its default static-only configuration: It was required by GnuTLS-3.0.19, but also linked into package(s) which used GnuTLS, such as glib-networking-2.32.3.

Many packages put some of their common functions into a static library which is only used by the programs within the package and, crucially, the library is not installed as a standalone library. These internal libraries are not a problem - if the package has to be rebuilt to fix a bug or vulnerability, nothing else is linked to them.

When BLFS mentions system libraries, it means shared versions of libraries. Some packages such as Firefox-32.0.1 and ghostscript-9.14 include many other libraries. When they link to them, they link statically so this also makes the programs bigger. The version they ship is often older than the version used in the system, so it may contain bugs - sometimes developers go to the trouble of fixing bugs in their included libraries, other times they do not.

Sometimes, deciding to use system libraries is an easy decision. Other times it may require you to alter the system version (e.g. for libpng-1.6.13 if used for Firefox-32.0.1). Occasionally, a package ships an old library and can no longer link to the current version, but can link to an older version. In this case, BLFS will usually just use the shipped version. Sometimes the included library is no longer developed separately, or its upstream is now the same as the package's upstream and you have no other packages which will use it. In those cases, you might decide to use the included static library even if you usually prefer to use system libraries.

User Notes:

Last updated on 2013-02-11 10:51:17 -0800

Locale Related Issues

This page contains information about locale related problems and issues. In the following paragraphs you'll find a generic overview of things that can come up when configuring your system for various locales. Many (but not all) existing locale related problems can be classified and fall under one of the headings below. The severity ratings below use the following criteria:

  • Critical: The program doesn't perform its main function. The fix would be very intrusive, it's better to search for a replacement.

  • High: Part of the functionality that the program provides is not usable. If that functionality is required, it's better to search for a replacement.

  • Low: The program works in all typical use cases, but lacks some functionality normally provided by its equivalents.

If there is a known workaround for a specific package, it will appear on that package's page. For the most recent information about locale related issues for individual packages, check the User Notes in the BLFS Wiki.

The Needed Encoding is Not a Valid Option in the Program

Severity: Critical

Some programs require the user to specify the character encoding for their input or output data and present only a limited choice of encodings. This is the case for the -X option in a2ps-4.14 and Enscript-1.6.6, the -input-charset option in unpatched Cdrtools, and the character sets offered for display in the menu of Links-2.8. If the required encoding is not in the list, the program usually becomes completely unusable. For non-interactive programs, it may be possible to work around this by converting the document to a supported input character set before submitting to the program.

A solution to this type of problem is to implement the necessary support for the missing encoding as a patch to the original program or to find a replacement.

The Program Assumes the Locale-Based Encoding of External Documents

Severity: High for non-text documents, low for text documents

Some programs, nano-2.3.6 or JOE-3.7 for example, assume that documents are always in the encoding implied by the current locale. While this assumption may be valid for the user-created documents, it is not safe for external ones. When this assumption fails, non-ASCII characters are displayed incorrectly, and the document may become unreadable.

If the external document is entirely text based, it can be converted to the current locale encoding using the iconv program.

For documents that are not text-based, this is not possible. In fact, the assumption made in the program may be completely invalid for documents where the Microsoft Windows operating system has set de facto standards. An example of this problem is ID3v1 tags in MP3 files (see the BLFS Wiki ID3v1Coding page for more details). For these cases, the only solution is to find a replacement program that doesn't have the issue (e.g., one that will allow you to specify the assumed document encoding).

Among BLFS packages, this problem applies to nano-2.3.6, JOE-3.7, and all media players except Audacious-3.5.1.

Another problem in this category is when someone cannot read the documents you've sent them because their operating system is set up to handle character encodings differently. This can happen often when the other person is using Microsoft Windows, which only provides one character encoding for a given country. For example, this causes problems with UTF-8 encoded TeX documents created in Linux. On Windows, most applications will assume that these documents have been created using the default Windows 8-bit encoding.

In extreme cases, Windows encoding compatibility issues may be solved only by running Windows programs under Wine.

The Program Uses or Creates Filenames in the Wrong Encoding

Severity: Critical

The POSIX standard mandates that the filename encoding is the encoding implied by the current LC_CTYPE locale category. This information is well-hidden on the page which specifies the behavior of Tar and Cpio programs. Some programs get it wrong by default (or simply don't have enough information to get it right). The result is that they create filenames which are not subsequently shown correctly by ls, or they refuse to accept filenames that ls shows properly. For the GLib-2.40.0 library, the problem can be corrected by setting the G_FILENAME_ENCODING environment variable to the special "@locale" value. Glib2 based programs that don't respect that environment variable are buggy.

The Zip-3.0 and UnZip-6.0 have this problem because they hard-code the expected filename encoding. UnZip contains a hard-coded conversion table between the CP850 (DOS) and ISO-8859-1 (UNIX) encodings and uses this table when extracting archives created under DOS or Microsoft Windows. However, this assumption only works for those in the US and not for anyone using a UTF-8 locale. Non-ASCII characters will be mangled in the extracted filenames.

The general rule for avoiding this class of problems is to avoid installing broken programs. If this is impossible, the convmv command-line tool can be used to fix filenames created by these broken programs, or intentionally mangle the existing filenames to meet the broken expectations of such programs.

In other cases, a similar problem is caused by importing filenames from a system using a different locale with a tool that is not locale-aware (e.g., OpenSSH-6.6p1). In order to avoid mangling non-ASCII characters when transferring files to a system with a different locale, any of the following methods can be used:

  • Transfer anyway, fix the damage with convmv.

  • On the sending side, create a tar archive with the --format=posix switch passed to tar (this will be the default in a future version of tar).

  • Mail the files as attachments. Mail clients specify the encoding of attached filenames.

  • Write the files to a removable disk formatted with a FAT or FAT32 filesystem.

  • Transfer the files using Samba.

  • Transfer the files via FTP using RFC2640-aware server (this currently means only wu-ftpd, which has bad security history) and client (e.g., lftp).

The last four methods work because the filenames are automatically converted from the sender's locale to UNICODE and stored or sent in this form. They are then transparently converted from UNICODE to the recipient's locale encoding.

The Program Breaks Multibyte Characters or Doesn't Count Character Cells Correctly

Severity: High or critical

Many programs were written in an older era where multibyte locales were not common. Such programs assume that C "char" data type, which is one byte, can be used to store single characters. Further, they assume that any sequence of characters is a valid string and that every character occupies a single character cell. Such assumptions completely break in UTF-8 locales. The visible manifestation is that the program truncates strings prematurely (i.e., at 80 bytes instead of 80 characters). Terminal-based programs don't place the cursor correctly on the screen, don't react to the "Backspace" key by erasing one character, and leave junk characters around when updating the screen, usually turning the screen into a complete mess.

Fixing this kind of problems is a tedious task from a programmer's point of view, like all other cases of retrofitting new concepts into the old flawed design. In this case, one has to redesign all data structures in order to accommodate to the fact that a complete character may span a variable number of "char"s (or switch to wchar_t and convert as needed). Also, for every call to the "strlen" and similar functions, find out whether a number of bytes, a number of characters, or the width of the string was really meant. Sometimes it is faster to write a program with the same functionality from scratch.

Among BLFS packages, this problem applies to xine-ui-0.99.9 and all the shells.

The Package Installs Manual Pages in Incorrect or Non-Displayable Encoding

Severity: Low

LFS expects that manual pages are in the language-specific (usually 8-bit) encoding, as specified on the LFS Man DB page. However, some packages install translated manual pages in UTF-8 encoding (e.g., Shadow, already dealt with), or manual pages in languages not in the table. Not all BLFS packages have been audited for conformance with the requirements put in LFS (the large majority have been checked, and fixes placed in the book for packages known to install non-conforming manual pages). If you find a manual page installed by any of BLFS packages that is obviously in the wrong encoding, please remove or convert it as needed, and report this to BLFS team as a bug.

You can easily check your system for any non-conforming manual pages by copying the following short shell script to some accessible location,

# Begin
# Usage: find /usr/share/man -type f | xargs
for a in "$@"
    # echo "Checking $a..."
    # Pure-ASCII manual page (possibly except comments) is OK
    grep -v '.\\"' "$a" | iconv -f US-ASCII -t US-ASCII >/dev/null 2>&1 \
        && continue
    # Non-UTF-8 manual page is OK
    iconv -f UTF-8 -t UTF-8 "$a" >/dev/null 2>&1 || continue
    # Found a UTF-8 manual page, bad.
    echo "UTF-8 manual page: $a" >&2
# End

and then issuing the following command (modify the command below if the script is not in your PATH environment variable):

find /usr/share/man -type f | xargs

Note that if you have manual pages installed in any location other than /usr/share/man (e.g., /usr/local/share/man), you must modify the above command to include this additional location.

Last updated on 2013-02-11 10:51:17 -0800

Going Beyond BLFS

The packages that are installed in this book are only the tip of the iceberg. We hope that the experience you gained with the LFS book and the BLFS book will give you the background needed to compile, install and configure packages that are not included in this book.

When you want to install a package to a location other than /, or /usr, you are installing outside the default environment settings on most machines. The following examples should assist you in determining how to correct this situation. The examples cover the complete range of settings that may need updating, but they are not all needed in every situation.

  • Expand the PATH to include $PREFIX/bin.

  • Expand the PATH for root to include $PREFIX/sbin.

  • Add $PREFIX/lib to /etc/ or expand LD_LIBRARY_PATH to include it. Before using the latter option, check out If you modify /etc/, remember to update /etc/ by executing ldconfig as the root user.

  • Add $PREFIX/man to /etc/man_db.conf or expand MANPATH.

  • Add $PREFIX/info to INFOPATH.

  • Add $PREFIX/lib/pkgconfig to PKG_CONFIG_PATH. Some packages are now installing .pc files in $PREFIX/share/pkgconfig, so you may have to include this directory also.

  • Add $PREFIX/include to CPPFLAGS when compiling packages that depend on the package you installed.

  • Add $PREFIX/lib to LDFLAGS when compiling packages that depend on a library installed by the package.

If you are in search of a package that is not in the book, the following are different ways you can search for the desired package.

Some general hints on handling new packages:

  • Many of the newer packages follow the ./configure && make && make install process. Help on the options accepted by configure can be obtained via the command ./configure --help.

  • Most of the packages contain documentation on compiling and installing the package. Some of the documents are excellent, some not so excellent. Check out the homepage of the package for any additional and updated hints for compiling and configuring the package.

  • If you are having a problem compiling the package, try searching the LFS archives at for the error or if that fails, try searching Google. Often, a distribution will have already solved the problem (many of them use development versions of packages, so they see the changes sooner than those of us who normally use stable released versions). But be cautious - all builders tend to carry patches which are no longer necessary, and to have fixes which are only required because of their particular choices in how they build a package. You may have to search deeply to find a fix for the package version you are trying to use, or even to find the package (names are sometimes not what you might expect, e.g. ghostscript often has a prefix or a suffix in its name), but the following notes might help:

    • Arch - enter the package name in the 'Keywords' box, select the package name, select one of the 'SVN Entries' fields, then select the PKGBUILD to see how they build this package, or look at any patches.

    • Debian (use your country's version if there is one) - the source will be in .tar.gz tarballs (either the original upstream .orig source, or else a dfsg containing those parts which comply with debian's free software guidelines) accompanied by versioned .diff.gz or .tar.gz additions. These additions often show how the package is built, and may contain patches. In the .diff.gz versions, any patches create files in debian/patches.

    • Fedora - this site is still occasionally overloaded, but it is an easy way of looking at .spec files and patches. If you know their name for the package (e.g. mesa.git) you can append that to the URI to get to it. If not, use the search box. If the site is unavailable, try looking for a local mirror of (the primary site is usually unavailable if fedora cgit is not responding) and download a source rpm to see what they do.

    • Gentoo - the mirrors for ebuilds and patches seem to be well-hidden, and they change frequently. Also, if you have found a mirror, you need to know which directory the application has been assigned to. The ebuilds themselves can be found at - use the search field. If there are any patches, a mirror will have them in the files/ directory. Depending on your browser, or the mirror, you might need to download the ebuild to be able to read it. Treat the ebuild as a sort of pseudo-code / shell combination - look in particular for sed commands and patches, or hazard a guess at the meanings of the functions such as dodoc.

    • openSUSE - source only seems to be available in source rpms.

    • Slackware - the official package browser is currently broken. The site at has current and previous versions in their unofficial repository with links to homepages, downloads, and some individual files, particularly the .SlackBuild files.

    • Ubuntu - see the debian notes above.

    If everything else fails, try the blfs-support mailing-list.


If you have found a package that is only available in .deb or .rpm format, there are two small scripts, rpm2targz and deb2targz that are available at and to convert the archives into a simple tar.gz format.

You may also find an rpm2cpio script useful. The Perl version in the linux kernel archives at works for most source rpms. The rpm2targz script will use an rpm2cpio script or binary if one is on your path. Note that rpm2cpio will unpack a source rpm in the current directory, giving a tarball, a spec file, and perhaps patches or other files.

Last updated on 2013-08-26 08:43:33 -0700

Part II. Post LFS Configuration and Extra Software

Chapter 3. After LFS Configuration Issues

The intention of LFS is to provide a basic system which you can build upon. There are several things about tidying up the system which many people wonder about once they have done the base install. We hope to cover these issues in this chapter.

Most people coming from non-Unix like backgrounds to Linux find the concept of text-only configuration files slightly strange. In Linux, just about all configuration is done via the manipulation of text files. The majority of these files can be found in the /etc hierarchy. There are often graphical configuration programs available for different subsystems but most are simply pretty front ends to the process of editing a text file. The advantage of text-only configuration is that you can edit parameters using your favorite text editor, whether that be vim, emacs, or any other editor.

The first task is making a recovery boot device in Creating a Custom Boot Device because it's the most critical need. Then the system is configured to ease addition of new users, because this can affect the choices you make in the two subsequent topics—The Bash Shell Startup Files and The vimrc Files.

The remaining topics, Customizing your Logon with /etc/issue, The /etc/shells File, Random number generation, Autofs-5.1.0, and Configuring for Network Filesystems are then addressed, in that order. They don't have much interaction with the other topics in this chapter.

Creating a Custom Boot Device

Decent Rescue Boot Device Needs

This section is really about creating a rescue device. As the name rescue implies, the host system has a problem, often lost partition information or corrupted file systems, that prevents it from booting and/or operating normally. For this reason, you must not depend on resources from the host being "rescued". To presume that any given partition or hard drive will be available is a risky presumption.

In a modern system, there are many devices that can be used as a rescue device: floppy, cdrom, usb drive, or even a network card. Which one you use depends on your hardware and your BIOS. In the past, a rescue device was thought to be a floppy disk. Today, many systems do not even have a floppy drive.

Building a complete rescue device is a challenging task. In many ways, it is equivalent to building an entire LFS system. In addition, it would be a repetition of information already available. For these reasons, the procedures for a rescue device image are not presented here.

Creating a Rescue Floppy

The software of today's systems has grown large. Linux 2.6 no longer supports booting directly from a floppy. In spite of this, there are solutions available using older versions of Linux. One of the best is Tom's Root/Boot Disk available at This will provide a minimal Linux system on a single floppy disk and provides the ability to customize the contents of your disk if necessary.

Creating a Bootable CD-ROM

There are several sources that can be used for a rescue CD-ROM. Just about any commercial distribution's installation CD-ROMs or DVDs will work. These include RedHat, Mandrake, and SuSE. One very popular option is Knoppix.

Also, the LFS Community has developed its own LiveCD available at This LiveCD, is no longer capable of building an entire LFS/BLFS system, but is still a good rescue CD-ROM. If you download the ISO image, use xorriso to copy the image to a CD-ROM.

The instructions for using GRUB2 to make a custom rescue CD-ROM are also available in LFS Chapter 8.

Creating a Bootable USB Drive

A USB Pen drive, sometimes called a Thumb drive, is recognized by Linux as a SCSI device. Using one of these devices as a rescue device has the advantage that it is usually large enough to hold more than a minimal boot image. You can save critical data to the drive as well as use it to diagnose and recover a damaged system. Booting such a drive requires BIOS support, but building the system consists of formatting the drive, adding GRUB as well as the Linux kernel and supporting files.

User Notes:

Last updated on 2014-01-19 04:43:46 -0800

Configuring for Adding Users

Together, the /usr/sbin/useradd command and /etc/skel directory (both are easy to set up and use) provide a way to assure new users are added to your LFS system with the same beginning settings for things such as the PATH, keyboard processing and other environmental variables. Using these two facilities makes it easier to assure this initial state for each new user added to the system.

The /etc/skel directory holds copies of various initialization and other files that may be copied to the new user's home directory when the /usr/sbin/useradd program adds the new user.


The useradd program uses a collection of default values kept in /etc/default/useradd. This file is created in a base LFS installation by the Shadow package. If it has been removed or renamed, the useradd program uses some internal defaults. You can see the default values by running /usr/sbin/useradd -D.

To change these values, simply modify the /etc/default/useradd file as the root user. An alternative to directly modifying the file is to run useradd as the root user while supplying the desired modifications on the command line. Information on how to do this can be found in the useradd man page.


To get started, create an /etc/skel directory and make sure it is writable only by the system administrator, usually root. Creating the directory as root is the best way to go.

The mode of any files from this part of the book that you put in /etc/skel should be writable only by the owner. Also, since there is no telling what kind of sensitive information a user may eventually place in their copy of these files, you should make them unreadable by "group" and "other".

You can also put other files in /etc/skel and different permissions may be needed for them.

Decide which initialization files should be provided in every (or most) new user's home directory. The decisions you make will affect what you do in the next two sections, The Bash Shell Startup Files and The vimrc Files. Some or all of those files will be useful for root, any already-existing users, and new users.

The files from those sections that you might want to place in /etc/skel include .inputrc, .bash_profile, .bashrc, .bash_logout, .dircolors, and .vimrc. If you are unsure which of these should be placed there, just continue to the following sections, read each section and any references provided, and then make your decision.

You will run a slightly modified set of commands for files which are placed in /etc/skel. Each section will remind you of this. In brief, the book's commands have been written for files not added to /etc/skel and instead just sends the results to the user's home directory. If the file is going to be in /etc/skel, change the book's command(s) to send output there instead and then just copy the file from /etc/skel to the appropriate directories, like /etc, ~ or the home directory of any other user already in the system.

When Adding a User

When adding a new user with useradd, use the -m parameter, which tells useradd to create the user's home directory and copy files from /etc/skel (can be overridden) to the new user's home directory. For example (perform as the root user):

useradd -m <newuser>

Last updated on 2007-10-16 06:49:09 -0700

About System Users and Groups

Throughout BLFS, many packages install programs that run as daemons or in some way should have a user or group name assigned. Generally these names are used to map a user ID (uid) or group ID (gid) for system use. Generally the specific uid or gid numbers used by these applications are not significant. The exception of course, is that root has a uid and gid of 0 (zero) that is indeed special. The uid values are stored in /etc/passwd and the gid values are found in /etc/group.

Customarily, Unix systems classify users and groups into two categories: system users and regular users. The system users and groups are given low numbers and regular users and groups have numeric values greater than all the system values. The cutoff for these numbers is found in two parameters in the /etc/login.defs configuration file. The default UID_MIN value is 1000 and the default GID_MIN value is 1000. If a specific uid or gid value is not specified when creating a user with useradd or a group with groupadd the values assigned will always be above these cutoff values.

Additionally, the Linux Standard Base recommends that system uid and gid values should be below 100.

Below is a table of suggested uid/gid values used in BLFS beyond those defined in a base LFS installation. These can be changed as desired, but provide a suggested set of consistent values.

Table 3.1. UID/GID Suggested Values

Name uid gid
bin 1
lp 9
adm 16
atd 17 17
messagebus 18 18
lpadmin   19
named 20 20
gdm 21 21
fcron 22 22
systemd-journal   23
apache 25 25
smmsp 26 26
polkitd 27 27
exim 31 31
postfix 32 32
postdrop 33
sendmail 34
mail 34
vmailman 35 35
news 36 36
kdm 37 37
mysql 40 40
postgres 41 41
dovecot 42 42
dovenull 43 43
ftp 45 45
proftpd 46 46
vsftpd 47 47
rsyncd 48 48
sshd 50 50
stunnel 51 51
svn 56 56
svntest 57
games 60 60
kvm 61
wireshark 62
lightdm 63 63
scanner 70
colord 71 71
systemd-bus-proxy 72 72
systemd-journal-gateway 73 73
systemd-journal-remote 74 74
systemd-journal-upload 75 75
systemd-network 76 76
systemd-resolve 77 77
systemd-timesync 78 78
ldap 83 83
avahi 84 84
avahi-autoipd 85 85
netdev 86
ntp 87 87
unbound 88 88
plugdev 90
anonymous 98
nobody 99
nogroup 99

One value that is missing is 65534. This value is customarily assigned to the user nobody and group nogroup and is unnecessary.

Last updated on 2014-09-22 15:13:35 -0700

About Devices

Although most devices needed by packages in BLFS and beyond are set up properly by udev using the default rules installed by LFS in /etc/udev/rules.d, there are cases where the rules must be modified or augmented.

User Notes:

Multiple Sound Cards

If there are multiple sound cards in a system, the "default" sound card becomes random. The method to establish sound card order depends on whether the drivers are modules or not. If the sound card drivers are compiled into the kernel, control is via kernel command line parameters in /boot/grub/grub.cfg. For example, if a system has both an FM801 card and a SoundBlaster PCI card, the following can be appended to the command line:

snd-fm801.index=0 snd-ens1371.index=1

If the sound card drivers are built as modules, the order can be established in the /etc/modprobe.conf file with:

options snd-fm801 index=0
options snd-ens1371 index=1

USB Device Issues

USB devices usually have two kinds of device nodes associated with them.

The first kind is created by device-specific drivers (e.g., usb_storage/sd_mod or usblp) in the kernel. For example, a USB mass storage device would be /dev/sdb, and a USB printer would be /dev/usb/lp0. These device nodes exist only when the device-specific driver is loaded.

The second kind of device nodes (/dev/bus/usb/BBB/DDD, where BBB is the bus number and DDD is the device number) are created even if the device doesn't have a kernel driver. By using these "raw" USB device nodes, an application can exchange arbitrary USB packets with the device, i.e., bypass the possibly-existing kernel driver.

Access to raw USB device nodes is needed when a userspace program is acting as a device driver. However, for the program to open the device successfully, the permissions have to be set correctly. By default, due to security concerns, all raw USB devices are owned by user root and group usb, and have 0664 permissions (the read access is needed, e.g., for lsusb to work and for programs to access USB hubs). Packages (such as SANE and libgphoto2) containing userspace USB device drivers also ship udev rules that change the permissions of the controlled raw USB devices. That is, rules installed by SANE change permissions for known scanners, but not printers. If a package maintainer forgot to write a rule for your device, report a bug to both BLFS (if the package is there) and upstream, and you will need to write your own rule.

There is one situation when such fine-grained access control with pre-generated udev rules doesn't work. Namely, PC emulators such as KVM, QEMU and VirtualBox use raw USB device nodes to present arbitrary USB devices to the guest operating system (note: patches are needed in order to get this to work without the obsolete /proc/bus/usb mount point described below). Obviously, maintainers of these packages cannot know which USB devices are going to be connected to the guest operating system. You can either write separate udev rules for all needed USB devices yourself, or use the default catch-all "usb" group, members of which can send arbitrary commands to all USB devices.

Before Linux-2.6.15, raw USB device access was performed not with /dev/bus/usb/BBB/DDD device nodes, but with /proc/bus/usb/BBB/DDD pseudofiles. Some applications (e.g., VMware Workstation) still use only this deprecated technique and can't use the new device nodes. For them to work, use the "usb" group, but remember that members will have unrestricted access to all USB devices. To create the fstab entry for the obsolete usbfs filesystem:

usbfs  /proc/bus/usb  usbfs  devgid=14,devmode=0660  0  0


Adding users to the "usb" group is inherently insecure, as they can bypass access restrictions imposed through the driver-specific USB device nodes. For instance, they can read sensitive data from USB hard drives without being in the "disk" group. Avoid adding users to this group, if you can.

Udev Device Attributes

Fine-tuning of device attributes such as group name and permissions is possible by creating extra udev rules, matching on something like this. The vendor and product can be found by searching the /sys/devices directory entries or using udevadm info after the device has been attached. See the documentation in the current udev directory of /usr/share/doc for details.

SUBSYSTEM=="usb_device", SYSFS{idVendor}=="05d8", SYSFS{idProduct}=="4002", \
  GROUP:="scanner", MODE:="0660"


The above line is used for descriptive purposes only. The scanner udev rules are put into place when installing SANE-1.0.24.

Devices for Servers

In some cases, it makes sense to disable udev completely and create static devices. Servers are one example of this situation. Does a server need the capability of handling dynamic devices? Only the system administrator can answer that question, but in many cases the answer will be no.

If dynamic devices are not desired, then static devices must be created on the system. In the default configuration, the /etc/rc.d/rcS.d/S10udev boot script mounts a tmpfs partition over the /dev directory. This problem can be overcome by mounting the root partition temporarily:


If the instructions below are not followed carefully, your system could become unbootable.

mount --bind / /mnt
cp -a /dev/* /mnt/dev
rm /etc/rc.d/rcS.d/{S10udev,S50udev_retry}
umount /mnt

At this point, the system will use static devices upon the next reboot. Create any desired additional devices using mknod.

If you want to restore the dynamic devices, recreate the /etc/rc.d/rcS.d/{S10udev,S50udev_retry} symbolic links and reboot again. Static devices do not need to be removed (console and null are always needed) because they are covered by the tmpfs partition. Disk usage for devices is negligible (about 20–30 bytes per entry.)

Last updated on 2012-03-13 11:19:34 -0700

The Bash Shell Startup Files

The shell program /bin/bash (hereafter referred to as just "the shell") uses a collection of startup files to help create an environment. Each file has a specific use and may affect login and interactive environments differently. The files in the /etc directory generally provide global settings. If an equivalent file exists in your home directory it may override the global settings.

An interactive login shell is started after a successful login, using /bin/login, by reading the /etc/passwd file. This shell invocation normally reads /etc/profile and its private equivalent ~/.bash_profile upon startup.

An interactive non-login shell is normally started at the command-line using a shell program (e.g., [prompt]$/bin/bash) or by the /bin/su command. An interactive non-login shell is also started with a terminal program such as xterm or konsole from within a graphical environment. This type of shell invocation normally copies the parent environment and then reads the user's ~/.bashrc file for additional startup configuration instructions.

A non-interactive shell is usually present when a shell script is running. It is non-interactive because it is processing a script and not waiting for user input between commands. For these shell invocations, only the environment inherited from the parent shell is used.

The file ~/.bash_logout is not used for an invocation of the shell. It is read and executed when a user exits from an interactive login shell.

Many distributions use /etc/bashrc for system wide initialization of non-login shells. This file is usually called from the user's ~/.bashrc file and is not built directly into bash itself. This convention is followed in this section.

For more information see info bash -- Nodes: Bash Startup Files and Interactive Shells.


Most of the instructions below are used to create files located in the /etc directory structure which requires you to execute the commands as the root user. If you elect to create the files in user's home directories instead, you should run the commands as an unprivileged user.


Here is a base /etc/profile. This file starts by setting up some helper functions and some basic parameters. It specifies some bash history parameters and, for security purposes, disables keeping a permanent history file for the root user. It also sets a default user prompt. It then calls small, single purpose scripts in the /etc/profile.d directory to provide most of the initialization.

For more information on the escape sequences you can use for your prompt (i.e., the PS1 environment variable) see info bash -- Node: Printing a Prompt.

cat > /etc/profile << "EOF"
# Begin /etc/profile
# Written for Beyond Linux From Scratch
# by James Robertson <>
# modifications by Dagmar d'Surreal <rivyqntzne@pbzpnfg.arg>

# System wide environment variables and startup programs.

# System wide aliases and functions should go in /etc/bashrc.  Personal
# environment variables and startup programs should go into
# ~/.bash_profile.  Personal aliases and functions should go into
# ~/.bashrc.

# Functions to help us manage paths.  Second argument is the name of the
# path variable to be modified (default: PATH)
pathremove () {
        local IFS=':'
        local NEWPATH
        local DIR
        local PATHVARIABLE=${2:-PATH}
        for DIR in ${!PATHVARIABLE} ; do
                if [ "$DIR" != "$1" ] ; then
        export $PATHVARIABLE="$NEWPATH"

pathprepend () {
        pathremove $1 $2
        local PATHVARIABLE=${2:-PATH}

pathappend () {
        pathremove $1 $2
        local PATHVARIABLE=${2:-PATH}

export -f pathremove pathprepend pathappend

# Set the initial path
export PATH=/bin:/usr/bin

if [ $EUID -eq 0 ] ; then
        pathappend /sbin:/usr/sbin
        unset HISTFILE

# Setup some environment variables.
export HISTSIZE=1000
export HISTIGNORE="&:[bf]g:exit"

# Set some defaults for graphical systems
export XDG_DATA_DIRS=/usr/share/
export XDG_CONFIG_DIRS=/etc/xdg/

# Setup a red prompt for root and a green one for users.
if [[ $EUID == 0 ]] ; then
  PS1="$RED\u [ $NORMAL\w$RED ]# $NORMAL"

for script in /etc/profile.d/*.sh ; do
        if [ -r $script ] ; then
                . $script

unset script RED GREEN NORMAL

# End /etc/profile

The /etc/profile.d Directory

Now create the /etc/profile.d directory, where the individual initialization scripts are placed:

install --directory --mode=0755 --owner=root --group=root /etc/profile.d


This script uses the ~/.dircolors and /etc/dircolors files to control the colors of file names in a directory listing. They control colorized output of things like ls --color. The explanation of how to initialize these files is at the end of this section.

cat > /etc/profile.d/ << "EOF"
# Setup for /bin/ls and /bin/grep to support color, the alias is in /etc/bashrc.
if [ -f "/etc/dircolors" ] ; then
        eval $(dircolors -b /etc/dircolors)

        if [ -f "$HOME/.dircolors" ] ; then
                eval $(dircolors -b $HOME/.dircolors)
alias ls='ls --color=auto'
alias grep='grep --color=auto'


This script adds some useful paths to the PATH and can be used to customize other PATH related environment variables (e.g. LD_LIBRARY_PATH, etc) that may be needed for all users.

cat > /etc/profile.d/ << "EOF"
if [ -d /usr/local/lib/pkgconfig ] ; then
        pathappend /usr/local/lib/pkgconfig PKG_CONFIG_PATH
if [ -d /usr/local/bin ]; then
        pathprepend /usr/local/bin
if [ -d /usr/local/sbin -a $EUID -eq 0 ]; then
        pathprepend /usr/local/sbin


This script sets up the default inputrc configuration file. If the user does not have individual settings, it uses the global file.

cat > /etc/profile.d/ << "EOF"
# Setup the INPUTRC environment variable.
if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ] ; then
export INPUTRC


Setting the umask value is important for security. Here the default group write permissions are turned off for system users and when the user name and group name are not the same.

cat > /etc/profile.d/ << "EOF"
# By default, the umask should be set.
if [ "$(id -gn)" = "$(id -un)" -a $EUID -gt 99 ] ; then
  umask 002
  umask 022


This script sets an environment variable necessary for native language support. A full discussion on determining this variable can be found on the LFS Bash Shell Startup Files page.

cat > /etc/profile.d/ << "EOF"
# Set up i18n variables
export LANG=<ll>_<CC>.<charmap><@modifiers>

Other Initialization Values

Other initialization can easily be added to the profile by adding additional scripts to the /etc/profile.d directory.


Here is a base /etc/bashrc. Comments in the file should explain everything you need.

cat > /etc/bashrc << "EOF"
# Begin /etc/bashrc
# Written for Beyond Linux From Scratch
# by James Robertson <>
# updated by Bruce Dubbs <>

# System wide aliases and functions.

# System wide environment variables and startup programs should go into
# /etc/profile.  Personal environment variables and startup programs
# should go into ~/.bash_profile.  Personal aliases and functions should
# go into ~/.bashrc

# Provides colored /bin/ls and /bin/grep commands.  Used in conjunction
# with code in /etc/profile.

alias ls='ls --color=auto'
alias grep='grep --color=auto'

# Provides prompt for non-login shells, specifically shells started
# in the X environment. [Review the LFS archive thread titled
# PS1 Environment Variable for a great case study behind this script
# addendum.]

if [[ $EUID == 0 ]] ; then
  PS1="$RED\u [ $NORMAL\w$RED ]# $NORMAL"


# End /etc/bashrc


Here is a base ~/.bash_profile. If you want each new user to have this file automatically, just change the output of the command to /etc/skel/.bash_profile and check the permissions after the command is run. You can then copy /etc/skel/.bash_profile to the home directories of already existing users, including root, and set the owner and group appropriately.

cat > ~/.bash_profile << "EOF"
# Begin ~/.bash_profile
# Written for Beyond Linux From Scratch
# by James Robertson <>
# updated by Bruce Dubbs <>

# Personal environment variables and startup programs.

# Personal aliases and functions should go in ~/.bashrc.  System wide
# environment variables and startup programs are in /etc/profile.
# System wide aliases and functions are in /etc/bashrc.

if [ -f "$HOME/.bashrc" ] ; then
  source $HOME/.bashrc

if [ -d "$HOME/bin" ] ; then
  pathprepend $HOME/bin

# Having . in the PATH is dangerous
#if [ $EUID -gt 99 ]; then
#  pathappend .

# End ~/.bash_profile


Here is a base ~/.bashrc. The comments and instructions for using /etc/skel for .bash_profile above also apply here. Only the target file names are different.

cat > ~/.bashrc << "EOF"
# Begin ~/.bashrc
# Written for Beyond Linux From Scratch
# by James Robertson <>

# Personal aliases and functions.

# Personal environment variables and startup programs should go in
# ~/.bash_profile.  System wide environment variables and startup
# programs are in /etc/profile.  System wide aliases and functions are
# in /etc/bashrc.

if [ -f "/etc/bashrc" ] ; then
  source /etc/bashrc

# End ~/.bashrc


This is an empty ~/.bash_logout that can be used as a template. You will notice that the base ~/.bash_logout does not include a clear command. This is because the clear is handled in the /etc/issue file.

cat > ~/.bash_logout << "EOF"
# Begin ~/.bash_logout
# Written for Beyond Linux From Scratch
# by James Robertson <>

# Personal items to perform on logout.

# End ~/.bash_logout


If you want to use the dircolors capability, then run the following command. The /etc/skel setup steps shown above also can be used here to provide a ~/.dircolors file when a new user is set up. As before, just change the output file name on the following command and assure the permissions, owner, and group are correct on the files created and/or copied.

dircolors -p > /etc/dircolors

If you wish to customize the colors used for different file types, you can edit the /etc/dircolors file. The instructions for setting the colors are embedded in the file.

Finally, Ian Macdonald has written an excellent collection of tips and tricks to enhance your shell environment. You can read it online at

Last updated on 2014-09-16 10:29:57 -0700

The /etc/vimrc and ~/.vimrc Files

The LFS book installs Vim as its text editor. At this point it should be noted that there are a lot of different editing applications out there including Emacs, nano, Joe and many more. Anyone who has been around the Internet (especially usenet) for a short time will certainly have observed at least one flame war, usually involving Vim and Emacs users!

The LFS book creates a basic vimrc file. In this section you'll find an attempt to enhance this file. At startup, vim reads the global configuration file (/etc/vimrc) as well as a user-specific file (~/.vimrc). Either or both can be tailored to suit the needs of your particular system.

Here is a slightly expanded .vimrc that you can put in ~/.vimrc to provide user specific effects. Of course, if you put it into /etc/skel/.vimrc instead, it will be made available to users you add to the system later. You can also copy the file from /etc/skel/.vimrc to the home directory of users already on the system, such as root. Be sure to set permissions, owner, and group if you do copy anything directly from /etc/skel.

" Begin .vimrc

set columns=80
set wrapmargin=8
set ruler

" End .vimrc

Note that the comment tags are " instead of the more usual # or //. This is correct, the syntax for vimrc is slightly unusual.

Below you'll find a quick explanation of what each of the options in this example file means here:

  • set columns=80: This simply sets the number of columns used on the screen.

  • set wrapmargin=8: This is the number of characters from the right window border where wrapping starts.

  • set ruler: This makes vim show the current row and column at the bottom right of the screen.

More information on the many vim options can be found by reading the help inside vim itself. Do this by typing :help in vim to get the general help, or by typing :help usr_toc.txt to view the User Manual Table of Contents.

Last updated on 2007-10-16 06:02:24 -0700

Customizing your Logon with /etc/issue

When you first boot up your new LFS system, the logon screen will be nice and plain (as it should be in a bare-bones system). Many people however, will want their system to display some information in the logon message. This can be accomplished using the file /etc/issue.

The /etc/issue file is a plain text file which will also accept certain escape sequences (see below) in order to insert information about the system. There is also the file which can be used when logging on remotely. ssh however, will only use it if you set the option in the configuration file and will not interpret the escape sequences shown below.

One of the most common things which people want to do is clear the screen at each logon. The easiest way of doing that is to put a "clear" escape sequence into /etc/issue. A simple way of doing this is to issue the command clear > /etc/issue. This will insert the relevant escape code into the start of the /etc/issue file. Note that if you do this, when you edit the file, you should leave the characters (normally '^[[H^[[2J') on the first line alone.


Terminal escape sequences are special codes recognized by the terminal. The ^[ represents an ASCII ESC character. The sequence ESC [ H puts the cursor in the upper left hand corner of the screen and ESC 2 J erases the screen. For more information on terminal escape sequences see

The following sequences are recognized by agetty (the program which usually parses /etc/issue). This information is from man agetty where you can find extra information about the logon process.

The issue file can contain certain character sequences to display various information. All issue sequences consist of a backslash (\) immediately followed by one of the letters explained below (so \d in /etc/issue would insert the current date).

b   Insert the baudrate of the current line.
d   Insert the current date.
s   Insert the system name, the name of the operating system.
l   Insert the name of the current tty line.
m   Insert the architecture identifier of the machine, e.g., i686.
n   Insert the nodename of the machine, also known as the hostname.
o   Insert the domainname of the machine.
r   Insert the release number of the kernel, e.g.,
t   Insert the current time.
u   Insert the number of current users logged in.
U   Insert the string "1 user" or "<n> users" where <n> is the
    number of current users logged in.
v   Insert the version of the OS, e.g., the build-date etc.

Last updated on 2007-04-04 12:42:53 -0700

The /etc/shells File

The shells file contains a list of login shells on the system. Applications use this file to determine whether a shell is valid. For each shell a single line should be present, consisting of the shell's path, relative to the root of the directory structure (/).

For example, this file is consulted by chsh to determine whether an unprivileged user may change the login shell for her own account. If the command name is not listed, the user will be denied of change.

It is a requirement for applications such as GDM which does not populate the face browser if it can't find /etc/shells, or FTP daemons which traditionally disallow access to users with shells not included in this file.

cat > /etc/shells << "EOF"
# Begin /etc/shells


# End /etc/shells

Last updated on 2007-04-04 12:42:53 -0700

Random Number Generation

The Linux kernel supplies a random number generator which is accessed through /dev/random and /dev/urandom. Programs that utilize the random and urandom devices, such as OpenSSH, will benefit from these instructions.

When a Linux system starts up without much operator interaction, the entropy pool (data used to compute a random number) may be in a fairly predictable state. This creates the real possibility that the number generated at startup may always be the same. In order to counteract this effect, you should carry the entropy pool information across your shut-downs and start-ups.

Install the /etc/rc.d/init.d/random init script included with the blfs-bootscripts-20140919 package.

make install-random

Last updated on 2007-04-04 12:42:53 -0700


Introduction to lsb_release

The lsb_release script gives information about the Linux Standards Base (LSB) status of the distribution.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

User Notes:

Installation of lsb_release

First fix a minor display problem:

sed -i "s|n/a|unavailable|" lsb_release

Install lsb_release by running the following commands:

./help2man -N --include ./lsb_release.examples \
              --alt_version_key=program_version ./lsb_release > lsb_release.1

Now, as the root user:

install -v -m 644 lsb_release.1 /usr/share/man/man1/lsb_release.1 &&
install -v -m 755 lsb_release /usr/bin/lsb_release

Configuration Information

The configuration for this package was done in LFS. The file /etc/lsb-release should already exist. Be sure that the DISTRIB_CODENAME entry has been set properly.


Installed Programs: lsb_release
Installed Library: None
Installed Directories: None

Short Descriptions


is a script to give LSB data.

Last updated on 2014-09-08 23:39:08 -0700

Chapter 4. Security

Security takes many forms in a computing environment. After some initial discussion, this chapter gives examples of three different types of security: access, prevention and detection.

Access for users is usually handled by login or an application designed to handle the login function. In this chapter, we show how to enhance login by setting policies with PAM modules. Access via networks can also be secured by policies set by iptables, commonly referred to as a firewall. The Network Security Services (NSS) and Netscape Portable Runtime (NSPR) libraries can be installed and shared among the many applications requiring them. For applications that don't offer the best security, you can use the Stunnel package to wrap an application daemon inside an SSL tunnel.

Prevention of breaches, like a trojan, are assisted by applications like GnuPG, specifically the ability to confirm signed packages, which recognizes modifications of the tarball after the packager creates it.

Finally, we touch on detection with a package that stores "signatures" of critical files (defined by the administrator) and then regenerates those "signatures" and compares for files that have been changed.


About vulnerabilities

All software has bugs. Sometimes, a bug can be exploited, for example to allow users to gain enhanced privileges (perhaps gaining a root shell, or simply accessing or deleting other user's files), or to allow a remote site to crash an application (denial of service), or for theft of data. These bugs are labelled as vulnerabilities.

The main place where vulnerabilities get logged is Unfortunately, many vulnerability numbers (CVE-yyyy-nnnn) are initially only labelled as "reserved" when distributions start issuing fixes. Also, some vulnerabilities apply to particular combinations of configure options, or only apply to old versions of packages which have long since been updated in BLFS.

BLFS differs from distributions - there is no BLFS security team, and the editors only become aware of vulnerabilities after they are public knowledge. Sometimes, a package with a vulnerability will not be updated in the book for a long time. Issues can be logged in the Trac system, which might speed up resolution.

The normal way for BLFS to fix a vulnerability is, ideally, to update the book to a new fixed release of the package. Sometimes that happens even before the vulnerability is public knowledge, so there is no guarantee that it will be shown as a vulnerability fix in the Changelog. Alternatively, a sed command, or a patch taken from a distribution, may be appropriate.

The bottom line is that you are responsible for your own security, and for assessing the potential impact of any problems.

To keep track of what is being discovered, you may wish to follow the security announcements of one or more distributions. For example, Debian has Debian security. Fedora's links on security are at the Fedora wiki. Details of Gentoo linux security announcements are discussed at Gentoo security. Finally, the Slackware archives of security announcements are at Slackware security.

The most general English source is perhaps the Full Disclosure Mailing List, but please read the comment on that page. If you use other languages you may prefer other sites such as (German) or (Croatian). These are not linux-specific. There is also a daily update at for subscribers (free access to the data after 2 weeks, but their vulnerabilities database at is unrestricted).

For some packages, subscribing to their 'announce' lists will provide prompt news of newer versions.

User Notes:

Last updated on 2013-12-30 02:12:57 -0800

Certificate Authority Certificates

The Public Key Inrastructure is used for many security issues in a Linux system. In order for a certificate to be trusted, it must be signed by a trusted agent called a Certificate Authority (CA). The certificates loaded by this section are from the list on the Mozilla version control system and formats it into a form used by OpenSSL-1.0.1i. The certificates can also be used by other applications either directly of indirectly through openssl.

This package is known to build and work properly using an LFS-7.6 platform.

Introduction to Certificate Authorities

Package Information


The certfile.txt file above is actually retrieved from It is really an HTML file, but the text file can be retrieved indirectly from the HTML file. The Download URL above automates that process and also adds a line where the date can be extracted as a revision number by the scripts below.

Certificate Authority Certificates Dependencies




User Notes:

Installation of Certificate Authority Certificates

First create a script to reformat a certificate into a form needed by openssl. As the root user:

cat > /usr/bin/ << "EOF"
#!/usr/bin/perl -w

# Used to generate PEM encoded files from Mozilla certdata.txt.
# Run as ./ > certificate.crt
# Parts of this script courtesy of RedHat (
# This script modified for use with single file data (tempfile.cer) extracted
# from certdata.txt, taken from the latest version in the Mozilla NSS source.
# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
# Authors: DJ Lucas
#          Bruce Dubbs
# Version 20120211

my $certdata = './tempfile.cer';

open( IN, "cat $certdata|" )
    || die "could not open $certdata";

my $incert = 0;

while ( <IN> )
        $incert = 1;
        open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
            || die "could not pipe to openssl x509";

    elsif ( /^END/ && $incert )
        close( OUT );
        $incert = 0;
        print "\n\n";

    elsif ($incert)
        my @bs = split( /\\/ );
        foreach my $b (@bs)
            chomp $b;
            printf( OUT "%c", oct($b) ) unless $b eq '';

chmod +x /usr/bin/

The following script creates the certificates and a bundle of all the certificates. It creates a ./certs directory and ./BLFS-ca-bundle-${VERSION}.crt. Again create this script as the root user:

cat > /usr/bin/ << "EOF"
# Begin
# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
# The file certdata.txt must exist in the local directory
# Version number is obtained from the version of the data.
# Authors: DJ Lucas
#          Bruce Dubbs
# Version 20120211


if [ ! -r $certdata ]; then
  echo "$certdata must be in the local directory"
  exit 1

REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')

if [ -z "${REVISION}" ]; then
  echo "$certfile has no 'Revision' in CVS_ID"
  exit 1

VERSION=$(echo $REVISION | cut -f2 -d" ")

TEMPDIR=$(mktemp -d)

mkdir "${TEMPDIR}/certs"

# Get a list of starting lines for each cert
CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)

# Get a list of ending lines for each cert
CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`

# Start a loop
for certbegin in ${CERTBEGINLIST}; do
  for certend in ${CERTENDLIST}; do
    if test "${certend}" -gt "${certbegin}"; then

  # Dump to a temp file with the name of the file as the beginning line number
  sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"


mkdir -p certs
rm -f certs/*      # Make sure the directory is clean

for tempfile in ${TEMPDIR}/certs/*.tmp; do
  # Make sure that the cert is trusted...
  grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
    egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null

  if test "${?}" = "0"; then
    # Throw a meaningful error and remove the file
    cp "${tempfile}" tempfile.cer
    perl ${CONVERTSCRIPT} > tempfile.crt
    keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
    echo "Certificate ${keyhash} is not trusted!  Removing..."
    rm -f tempfile.cer tempfile.crt "${tempfile}"

  # If execution made it to here in the loop, the temp cert is trusted
  # Find the cert data and generate a cert file for it

  cp "${tempfile}" tempfile.cer
  perl ${CONVERTSCRIPT} > tempfile.crt
  keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
  mv tempfile.crt "certs/${keyhash}.pem"
  rm -f tempfile.cer "${tempfile}"
  echo "Created ${keyhash}.pem"

# Remove blacklisted files
# MD5 Collision Proof of Concept CA
if test -f certs/8f111d69.pem; then
  echo "Certificate 8f111d69 is not trusted!  Removing..."
  rm -f certs/8f111d69.pem

# Finally, generate the bundle and clean up.
cat certs/*.pem >  ${BUNDLE}
rm -r "${TEMPDIR}"

chmod +x /usr/bin/

Add a short script to remove expired certificates from a directory. Again create this script as the root user:

cat > /usr/bin/ << "EOF"
# Begin /usr/bin/
# Version 20120211

# Make sure the date is parsed correctly on all systems
  local y=$( echo $1 | cut -d" " -f4 )
  local M=$( echo $1 | cut -d" " -f1 )
  local d=$( echo $1 | cut -d" " -f2 )
  local m

  if [ ${d} -lt 10 ]; then d="0${d}"; fi

  case $M in
    Jan) m="01";;
    Feb) m="02";;
    Mar) m="03";;
    Apr) m="04";;
    May) m="05";;
    Jun) m="06";;
    Jul) m="07";;
    Aug) m="08";;
    Sep) m="09";;
    Oct) m="10";;
    Nov) m="11";;
    Dec) m="12";;



if [ $# -gt 0 ]; then

certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" )
today=$( date +%Y%m%d )

for cert in $certs; do
  notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
  date=$( echo ${notafter} |  sed 's/^notAfter=//' )
  mydate "$date"

  if [ ${certdate} -lt ${today} ]; then
     echo "${cert} expired on ${certdate}! Removing..."
     rm -f "${cert}"

chmod +x /usr/bin/

The following commands will fetch the certificates and convert them to the correct format. If desired, a web browser may be used instead of wget but the file will need to be saved with the name certdata.txt. These commands can be repeated as necessary to update the CA Certificates.

URL= &&
rm -f certdata.txt &&
wget $URL          &&         && certs &&
unset URL

Now, as the root user:

SSLDIR=/etc/ssl                                              &&
install -d ${SSLDIR}/certs                                   &&
cp -v certs/*.pem ${SSLDIR}/certs                            &&
c_rehash                                                     &&
install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt          &&
ln -sfv ../ca-bundle.crt ${SSLDIR}/certs/ca-certificates.crt &&
unset SSLDIR

Finally, clean up the current directory:

rm -r certs BLFS-ca-bundle*

After installing or updating certificates, if OpenJDK is installed, update the certificates for Java using the procedures at the section called “Install or update the JRE Certificate Authority Certificates (cacerts) file”.


Installed Programs:, and
Installed Libraries: None
Installed Directories: /etc/ssl/certs

Short Descriptions

is a shell script that reformats the certdata.txt file for use by openssl.

is a utility perl script that converts a single binary certificate (.der format) into .pem format.

is a utility perl script that removes expired certificates from a directory. The default directory is /etc/ssl/certs.

Last updated on 2014-09-11 23:27:59 -0700


Introduction to ConsoleKit

The ConsoleKit package is a framework for keeping track of the various users, sessions, and seats present on a system. It provides a mechanism for software to react to changes of any of these items or of any of the metadata associated with them.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

ConsoleKit Dependencies


dbus-glib-0.102 and Xorg Libraries



If you intend NOT to install polkit, you will need to manually edit the ConsoleKit.conf file to lock down the service. Failure to do so may be a huge SECURITY HOLE.



User Notes:

Installation of ConsoleKit

Install ConsoleKit by running the following commands:

./configure --prefix=/usr        \
            --sysconfdir=/etc    \
            --localstatedir=/var \
            --enable-udev-acl    \
            --enable-pam-module  \
            --with-systemdsystemunitdir=no &&

This package does not come with a test suite.

Now, as the root user:

make install

Command Explanations

--enable-udev-acl: This switch enables building of the udev-acl tool, which is used to allow normal users to access device nodes normally only accessible to root.

--enable-pam-module: This switch enables building of the ConsoleKit PAM module which is needed for ConsoleKit to work correctly with PAM. Remove if Linux PAM is NOT installed.

--enable-docbook-docs: Use this switch if xmlto is installed and you wish to build the API documentation.

--with-systemdsystemunitdir=no: Disable attempting to build with systemd libraries.

Configuring ConsoleKit

PAM Module Configuration

If you use Linux PAM you need to configure Linux PAM to activate ConsoleKit upon user login. This can be achieved by editing the /etc/pam.d/system-session file as the root user:

cat >> /etc/pam.d/system-session << "EOF"
# Begin ConsoleKit addition

session   optional
session   optional nox11

# End ConsoleKit addition

You will also need a helper script that creates a file in /var/run/console named as the currently logged in user and that contains the D-Bus address of the session. You can create the script by running the following commands as the root user:

cat > /usr/lib/ConsoleKit/run-session.d/ << "EOF"

[ -n "$CK_SESSION_USER_UID" ] || exit 1
[ "$CK_SESSION_IS_LOCAL" = "true" ] || exit 0

TAGFILE="$TAGDIR/`getent passwd $CK_SESSION_USER_UID | cut -f 1 -d:`"

if [ "$1" = "session_added" ]; then
    mkdir -p "$TAGDIR"
    echo "$CK_SESSION_ID" >> "$TAGFILE"

if [ "$1" = "session_removed" ] && [ -e "$TAGFILE" ]; then
    sed -i "\%^$CK_SESSION_ID\$%d" "$TAGFILE"
    [ -s "$TAGFILE" ] || rm -f "$TAGFILE"
chmod -v 755 /usr/lib/ConsoleKit/run-session.d/

See /usr/share/doc/ConsoleKit/spec/ConsoleKit.html for more configuration.


Installed Programs: ck-history, ck-launch-session, ck-list-sessions, ck-log-system-restart, ck-log-system-start, ck-log-system-stop and console-kit-daemon
Installed Libraries: and
Installed Directories: /etc/ConsoleKit, /usr/include/ConsoleKit, /usr/lib/ConsoleKit, /usr/share/doc/ConsoleKit and /var/log/ConsoleKit

Short Descriptions


list sessions with respective properties. Also good for debugging purposes.

Last updated on 2014-09-14 14:01:57 -0700


Introduction to CrackLib

The CrackLib package contains a library used to enforce strong passwords by comparing user selected passwords to words in chosen word lists.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

Additional Downloads

There are additional word lists available for download, e.g., from CrackLib can utilize as many, or as few word lists you choose to install.


Users tend to base their passwords on regular words of the spoken language, and crackers know that. CrackLib is intended to filter out such bad passwords at the source using a dictionary created from word lists. To accomplish this, the word list(s) for use with CrackLib must be an exhaustive list of words and word-based keystroke combinations likely to be chosen by users of the system as (guessable) passwords.

The default word list recommended above for downloading mostly satisfies this role in English-speaking countries. In other situations, it may be necessary to download (or even create) additional word lists.

Note that word lists suitable for spell-checking are not usable as CrackLib word lists in countries with non-Latin based alphabets, because of “word-based keystroke combinations” that make bad passwords.

CrackLib Dependencies



User Notes:

Installation of CrackLib

Install CrackLib by running the following commands:

./configure --prefix=/usr \
            --with-default-dict=/lib/cracklib/pw_dict \
            --disable-static &&

Now, as the root user:

make install &&
mv -v /usr/lib/* /lib &&
ln -sfv ../../lib/$(readlink /usr/lib/ /usr/lib/

Issue the following commands as the root user to install the recommended word list and create the CrackLib dictionary. Other word lists (text based, one word per line) can also be used by simply installing them into /usr/share/dict and adding them to the create-cracklib-dict command.

install -v -m644 -D    ../cracklib-words-20080507.gz           \
                         /usr/share/dict/cracklib-words.gz     &&
gunzip -v                /usr/share/dict/cracklib-words.gz     &&
ln -v -sf cracklib-words /usr/share/dict/words                 &&
echo $(hostname) >>      /usr/share/dict/cracklib-extra-words  &&
install -v -m755 -d      /lib/cracklib                         &&
create-cracklib-dict     /usr/share/dict/cracklib-words        \

If desired, check the proper operation of the library as an unprivileged user by issuing the following command:

make test


If you are installing CrackLib after your LFS system has been completed and you have the Shadow package installed, you must reinstall Shadow-4.2.1 if you wish to provide strong password support on your system. If you are now going to install the Linux-PAM-1.1.8 package, you may disregard this note as Shadow will be reinstalled after the Linux-PAM installation.

Command Explanations

--with-default-dict=/lib/cracklib/pw_dict: This parameter forces the installation of the CrackLib dictionary to the /lib hierarchy.

--disable-static: This switch prevents installation of static versions of the libraries.

mv -v /usr/lib/* /lib and ln -v -sf ../../lib/ ...: These two commands move the library and associated symlink from /usr/lib to /lib, then recreates the /usr/lib/ symlink pointing to the relocated file.

install -v -m644 -D ...: This command creates the /usr/share/dict directory (if it doesn't already exist) and installs the compressed word list there.

ln -v -s cracklib-words /usr/share/dict/words: The word list is linked to /usr/share/dict/words as historically, words is the primary word list in the /usr/share/dict directory. Omit this command if you already have a /usr/share/dict/words file installed on your system.

echo $(hostname) >>...: The value of hostname is echoed to a file called cracklib-extra-words. This extra file is intended to be a site specific list which includes easy to guess passwords such as company or department names, user's names, product names, computer names, domain names, etc.

create-cracklib-dict ...: This command creates the CrackLib dictionary from the word lists. Modify the command to add any additional word lists you have installed.


Installed Programs: cracklib-check, cracklib-format, cracklib-packer, cracklib-unpacker and create-cracklib-dict
Installed Libraries: and the Python module
Installed Directories: /lib/cracklib, /usr/share/dict and /usr/share/cracklib

Short Descriptions


is used to determine if a password is strong.


is used to create the CrackLib dictionary from the given word list(s).

provides a fast dictionary lookup method for strong password enforcement.

Last updated on 2014-09-10 06:19:10 -0700

Cyrus SASL-2.1.26

Introduction to Cyrus SASL

The Cyrus SASL package contains a Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. To use SASL, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

Additional Downloads

Cyrus SASL Dependencies




Linux-PAM-1.1.8, MIT Kerberos V5-1.12.2, MariaDB-10.0.13 or MySQL, OpenJDK-, OpenLDAP-2.4.39, PostgreSQL-9.3.5, SQLite-3.8.6, krb4 and Dmalloc

User Notes:

Installation of Cyrus SASL

Install Cyrus SASL by running the following commands:

patch -Np1 -i ../cyrus-sasl-2.1.26-fixes-3.patch &&
autoreconf -fi &&
./configure --prefix=/usr        \
            --sysconfdir=/etc    \
            --enable-auth-sasldb \
            --with-dbpath=/var/lib/sasl/sasldb2 \
            --with-saslauthd=/var/run/saslauthd &&

This package does not come with a test suite. If you are planning on using the GSSAPI authentication mechanism, it is recommended to test it after installing the package using the sample server and client programs which were built in the preceding step. Instructions for performing the tests can be found at

Now, as the root user:

make install &&
install -v -dm755 /usr/share/doc/cyrus-sasl-2.1.26 &&
install -v -m644  doc/{*.{html,txt,fig},ONEWS,TODO} \
    saslauthd/LDAP_SASLAUTHD /usr/share/doc/cyrus-sasl-2.1.26 &&
install -v -dm700 /var/lib/sasl

Command Explanations

--with-dbpath=/var/lib/sasl/sasldb2: This switch forces the sasldb database to be created in /var/lib/sasl instead of /etc.

--with-saslauthd=/var/run/saslauthd: This switch forces saslauthd to use the FHS compliant directory /var/run/saslauthd for variable run-time data.

--enable-auth-sasldb: This switch enables SASLDB authentication backend.

--with-dblib=gdbm: This switch forces GDBM to be used instead of Berkeley DB.

--with-ldap: This switch enables the OpenLDAP support.

--enable-ldapdb: This switch enables the LDAPDB authentication backend. There is a circular dependency with this parameter. See for a solution to this problem.

--enable-java: This switch enables compiling of the Java support libraries.

--enable-login: This option enables unsupported LOGIN authentication.

--enable-ntlm: This option enables unsupported NTLM authentication.

install -v -m644 ...: These commands install documentation which is not installed by the make install command.

install -v -m700 -d /var/lib/sasl: This directory must exist when starting saslauthd or using the sasldb plugin. If you're not going to be running the daemon or using the plugins, you may omit the creation of this directory.

Configuring Cyrus SASL

Config Files

/etc/saslauthd.conf (for saslauthd LDAP configuration) and /etc/sasl2/Appname.conf (where "Appname" is the application defined name of the application)

Configuration Information

See file:///usr/share/doc/cyrus-sasl-2.1.26/sysadmin.html for information on what to include in the application configuration files.

See file:///usr/share/doc/cyrus-sasl-2.1.26/LDAP_SASLAUTHD for configuring saslauthd with OpenLDAP.

See file:///usr/share/doc/cyrus-sasl-2.1.26/gssapi.html for configuring saslauthd with Kerberos.

Init Script

If you need to run the saslauthd daemon at system startup, install the /etc/rc.d/init.d/saslauthd init script included in the blfs-bootscripts-20140919 package using the following command:

make install-saslauthd


You'll need to modify /etc/sysconfig/saslauthd and replace the AUTHMECH parameter with your desired authentication mechanism.


Installed Programs: pluginviewer, saslauthd, sasldblistusers2, saslpasswd2 and testsaslauthd
Installed Library:
Installed Directories: /usr/include/sasl, /usr/lib/sasl2, /usr/share/doc/cyrus-sasl-2.1.26 and /var/lib/sasl

Short Descriptions


is used to list loadable SASL plugins and their properties.


is the SASL authentication server.


is used to list the users in the SASL password database sasldb2.


is used to set and delete a user's SASL password and mechanism specific secrets in the SASL password database sasldb2.


is a test utility for the SASL authentication server.

is a general purpose authentication library for server and client applications.

Last updated on 2014-09-17 11:48:47 -0700


Introduction to GnuPG

The GnuPG package is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440 and the S/MIME standard as described by several RFCs. GnuPG 2 is the stable version of GnuPG integrating support for OpenPGP and S/MIME.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

GnuPG 2 Dependencies


Pth-2.0.7, Libassuan-2.1.2, libgcrypt-1.6.2, and Libksba-1.3.0


OpenLDAP-2.4.39, libusb-compat-0.1.5, cURL-7.37.1, GNU adns, and an MTA

User Notes:

Installation of GnuPG

Install GnuPG by running the following commands:

./configure --prefix=/usr \
            --enable-symcryptrun \
            --docdir=/usr/share/doc/gnupg-2.0.26 &&
make &&

makeinfo --html --no-split -o doc/gnupg_nochunks.html doc/gnupg.texi &&
makeinfo --plaintext       -o doc/gnupg.txt           doc/gnupg.texi

If you have texlive-20140525 installed and you wish to create documentation in alternate formats, issue the following commands:

make -C doc pdf ps html

To test the results, issue: make check.

Note that if you have already installed GnuPG, the instructions below will overwrite /usr/share/man/man1/gpg-zip.1. Now, as the root user:

make install &&

install -v -m755 -d /usr/share/doc/gnupg-2.0.26/html       &&
install -v -m644    doc/gnupg_nochunks.html \
                    /usr/share/doc/gnupg-2.0.26/gnupg.html &&
install -v -m644    doc/*.texi doc/gnupg.txt \

We recommend the creation of symlinks for compatibility with the first version of GnuPG, because some programs or scripts need them. Issue, as root user:

for f in gpg gpgv
  ln -svf ${f}2.1 /usr/share/man/man1/$f.1 &&
  ln -svf ${f}2   /usr/bin/$f
unset f

If you created alternate formats of the documentation, install it using the following command as the root user:

install -v -m644 doc/gnupg.html/* \
                 /usr/share/doc/gnupg-2.0.26/html &&
install -v -m644 doc/gnupg.{pdf,dvi,ps} \

Command Explanations

--docdir=/usr/share/doc/gnupg-2.0.26: This switch changes the default docdir to /usr/share/doc/gnupg-2.0.26.

--enable-symcryptrun: This switch enables building the symcryptrun program.


Installed Programs: addgnupghome, applygnupgdefaults, gnupg-pcsc-wrapper, gpg, gpg-agent, gpg-check-pattern, gpg-connect-agent, gpg-preset-passphrase, gpg-protect-tool, gpg2, gpg2keys_curl, gpg2keys_finger, gpg2keys_hkp, gpg2keys_ldap, gpgconf, gpgkey2ssh, gpgparsemail, gpgsm,, gpgv, gpgv2, kbxutil, scdaemon, symcryptrun, and watchgnupg
Installed Libraries: None
Installed Directories: /usr/share/doc/gnupg-2.0.26 and /usr/share/gnupg

Short Descriptions


is used to create and populate user's ~/.gnupg directories


is a wrapper script used to run gpgconf with the --apply-defaults parameter on all user's GnuPG home directories.


is a daemon used to manage secret (private) keys independently from any protocol. It is used as a backend for gpg2 and gpgsm as well as for a couple of other utilities.


is a utility used to communicate with a running gpg-agent.


(optional) is a symlink to gpg2 for compatibility with the first version of GnuPG.


is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool used to provide digital encryption and signing services using the OpenPGP standard.


is a utility used to automatically and reasonable safely query and modify configuration files in the ~/.gnupg home directory. It is designed not to be invoked manually by the user, but automatically by graphical user interfaces.


is a utility currently only useful for debugging. Run it with --help for usage information.


is a tool similar to gpg2 used to provide digital encryption and signing services on X.509 certificates and the CMS protocol. It is mainly used as a backend for S/MIME mail processing.

is a simple tool used to interactively generate a certificate request which will be printed to stdout.


(optional) is a symlink to gpgv2 for compatibility with the first version of GnuPG.


is a verify only version of gpg2.


is used to list, export and import Keybox data.


is a daemon used to manage smartcards. It is usually invoked by gpg-agent and in general not used directly.


is a simple symmetric encryption tool.


is used to listen to a Unix Domain socket created by any of the GnuPG tools.

Last updated on 2014-09-17 11:48:47 -0700


Introduction to GnuTLS

The GnuTLS package contains libraries and userspace tools which provide a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards by the IETF's TLS working group. Quoting from the TLS protocol specification:

The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.

GnuTLS provides support for TLS 1.1, TLS 1.0 and SSL 3.0 protocols, TLS extensions, including server name and max record size. Additionally, the library supports authentication using the SRP protocol, X.509 certificates and OpenPGP keys, along with support for the TLS Pre-Shared-Keys (PSK) extension, the Inner Application (TLS/IA) extension and X.509 and OpenPGP certificate handling.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

GnuTLS Dependencies




GTK-Doc-1.20, Guile-2.0.11, libidn-1.29, p11-kit-0.20.6, Unbound-1.4.22 (to build the DANE library), Valgrind-3.10.0 (used during the test suite), autogen, and Trousers (Trusted Platform Module support)


Note that if you do not install libtasn1-4.1, an older version shipped in the GnuTLS tarball will be used instead.

User Notes:

Installation of GnuTLS

First fix a bug in one of the libraries:

sed -i -e '201 i#ifdef ENABLE_PKCS11' \
       -e '213 i#endif'               \

Install GnuTLS by running the following commands:

./configure --prefix=/usr \
            --with-default-trust-store-file=/etc/ssl/ca-bundle.crt &&

To test the results, issue: make check.

Now, as the root user:

make install

If you did not pass the --enable-gtk-doc parameter to the configure script, you can install the API documentation to the /usr/share/gtk-doc/html/gnutls directory using the following command as the root user:

make -C doc/reference install-data-local

Command Explanations

--with-default-trust-store-file=/etc/ssl/ca-bundle.crt: This switch tells configure where to find the CA Certificates.

--enable-gtk-doc: Use this parameter if GTK-Doc is installed and you wish to rebuild and install the API documentation.


Installed Programs: certtool, crywrap, danetool, gnutls-cli, gnutls-cli-debug, gnutls-serv, ocsptool, p11tool, psktool, and srptool
Installed Libraries:,,,, and /usr/lib/guile/2.0/
Installed Directories: /usr/include/gnutls, /usr/share/gtk-doc/html/gnutls, and /usr/share/guile/site/gnutls

Short Descriptions


is used to generate X.509 certificates, certificate requests, and private keys.


is a simple wrapper that waits for TLS/SSL connections, and proxies them to an unencrypted location. Only installed if libidn-1.29 is present.


is a tool used to generate and check DNS resource records for the DANE protocol.


is a simple client program to set up a TLS connection to some other computer.


is a simple client program to set up a TLS connection to some other computer and produces very verbose progress results.


is a simple server program that listens to incoming TLS connections.


is a program that can parse and print information about OCSP requests/responses, generate requests and verify responses.


is a program that allows handling data from PKCS #11 smart cards and security modules.


is a simple program that generates random keys for use with TLS-PSK.


is a simple program that emulates the programs in the Stanford SRP (Secure Remote Password) libraries using GnuTLS.

contains the core API functions and X.509 certificate API functions.

Last updated on 2014-09-10 06:19:10 -0700


Introduction to GPGME

The GPGME package is a C language library that allows to add support for cryptography to a program. It is designed to make access to public key crypto engines like GnuPG or GpgSM easier for applications. GPGME provides a high-level crypto API for encryption, decryption, signing, signature verification and key management.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

  • Download (FTP):

  • Download MD5 sum: 8fb46b336200807a12a12a5760b4a39d

  • Download size: 944 KB

  • Estimated disk space required: 17 MB (additional 1 MB for the tests)

  • Estimated build time: 0.2 SBU (additional 0.1 SBU for the tests)

GPGME Dependencies




GnuPG-2.0.26 (used during the testsuite)

User Notes:

Installation of GPGME

Install GPGME by running the following commands:

./configure --prefix=/usr        \
            --disable-fd-passing \
            --disable-gpgsm-test &&

To test the results, issue: make check.

Now, as the root user:

make install

Command Explanations

--disable-fd-passing: This option disables a problem causing a hang for some operations on some systems.

--disable-gpgsm-test: This option disables a test with gpgsm in some systems breaking make.


Installed Program: gpgme-config
Installed Libraries: and
Installed Directory: /usr/share/common-lisp/source/gpgme

Short Descriptions

contains the GPGME API functions for applications using pthread.

contains the GPGME API functions.

Last updated on 2014-09-17 11:48:47 -0700


Introduction to Haveged

The Haveged package contains a daemon that generates an unpredictable stream of random numbers and feeds the /dev/random device.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

User Notes:

Installation of Haveged

Install Haveged by running the following commands:

./configure --prefix=/usr &&

To test the results, issue: make check.

Now, as the root user:

make install &&
mkdir -pv    /usr/share/doc/haveged-1.9.1 &&
cp -v README /usr/share/doc/haveged-1.9.1

Configuring haveged

Boot Script

If you want the Haveged daemon to start automatically when the system is booted, install the /etc/rc.d/init.d/haveged init script included in the blfs-bootscripts-20140919 package.

make install-haveged


Installed Programs: haveged
Installed Libraries:
Installed Directory: /usr/include/haveged

Short Descriptions


is a daemon that generates an unpredictable stream of random numbers harvested from the indirect effects of hardware events based on hidden processor states (caches, branch predictors, memory translation tables, etc).

Last updated on 2014-09-19 13:27:36 -0700


Introduction to Iptables

The next part of this chapter deals with firewalls. The principal firewall tool for Linux is Iptables. You will need to install Iptables if you intend on using any form of a firewall.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

User Notes:

Kernel Configuration

A firewall in Linux is accomplished through a portion of the kernel called netfilter. The interface to netfilter is Iptables. To use it, the appropriate kernel configuration parameters are found in Networking Support ⇒ Networking Options ⇒ Network Packet Filtering Framework.

Installation of Iptables


The installation below does not include building some specialized extension libraries which require the raw headers in the Linux source code. If you wish to build the additional extensions (if you aren't sure, then you probably don't), you can look at the INSTALL file to see an example of how to change the KERNEL_DIR= parameter to point at the Linux source code. Note that if you upgrade the kernel version, you may also need to recompile Iptables and that the BLFS team has not tested using the raw kernel headers.

For some non-x86 architectures, the raw kernel headers may be required. In that case, modify the KERNEL_DIR= parameter to point at the Linux source code.

Install Iptables by running the following commands:

./configure --prefix=/usr                \
            --sbindir=/sbin              \
            --with-xtlibdir=/lib/xtables \
            --enable-libipq &&

This package does not come with a test suite.

Now, as the root user:

make install &&
ln -sfv ../../sbin/xtables-multi /usr/bin/iptables-xml &&
for file in ip4tc ip6tc ipq iptc xtables
  mv -v /usr/lib/lib${file}.so.* /lib &&
  ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so

Command Explanations

--with-xtlibdir=/lib/xtables: Ensure all Iptables modules are installed in the /lib/xtables directory.

--enable-libipq: This switch enables building of which can be used by some packages outside of BLFS.

--enable-nfsynproxy: This switch enables installation of nfsynproxy SYNPROXY configuration tool.

ln -sfv ../../sbin/xtables-multi /usr/bin/iptables-xml: Ensure the symbolic link for iptables-xml is relative.

Configuring Iptables

Introductory instructions for configuring your firewall are presented in the next section: Firewalling

Boot Script

To set up the iptables firewall at boot, install the /etc/rc.d/init.d/iptables init script included in the blfs-bootscripts-20140919 package.

make install-iptables


Installed Programs: ip6tables, ip6tables-restore, ip6tables-save, iptables, iptables-restore, iptables-save, iptables-xml, and xtables-multi
Installed Libraries:,,,, and
Installed Directories: /lib/xtables and /usr/include/libiptc

Short Descriptions


is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.


is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file.


is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file.


is used to convert the output of iptables-save to an XML format. Using the iptables.xslt stylesheet converts the XML back to the format of iptables-restore.


are a set of commands for IPV6 that parallel the iptables commands above.


(optional) configuration tool. SYNPROXY target makes handling of large SYN floods possible without the large performance penalties imposed by the connection tracking in such cases.

Last updated on 2014-09-19 13:27:36 -0700

Setting Up a Network Firewall

Before you read this part of the chapter, you should have already installed iptables as described in the previous section.

Introduction to Firewall Creation

The general purpose of a firewall is to protect a computer or a network against malicious access.

In a perfect world, every daemon or service on every machine is perfectly configured and immune to flaws such as buffer overflows or other problems regarding its security. Furthermore, you trust every user accessing your services. In this world, you do not need to have a firewall.

In the real world however, daemons may be misconfigured and exploits against essential services are freely available. You may wish to choose which services are accessible by certain machines or you may wish to limit which machines or applications are allowed external access. Alternatively, you may simply not trust some of your applications or users. You are probably connected to the Internet. In this world, a firewall is essential.

Don't assume however, that having a firewall makes careful configuration redundant, or that it makes any negligent misconfiguration harmless. It doesn't prevent anyone from exploiting a service you intentionally offer but haven't recently updated or patched after an exploit went public. Despite having a firewall, you need to keep applications and daemons on your system properly configured and up to date. A firewall is not a cure all, but should be an essential part of your overall security strategy.

Meaning of the Word "Firewall"

The word firewall can have several different meanings.

This is a hardware device or software program commercially sold (or offered via freeware) by companies such as Symantec which claims that it secures a home or desktop computer connected to the Internet. This type of firewall is highly relevant for users who do not know how their computers might be accessed via the Internet or how to disable that access, especially if they are always online and connected via broadband links.

This is a system placed between the Internet and an intranet. To minimize the risk of compromising the firewall itself, it should generally have only one role—that of protecting the intranet. Although not completely risk free, the tasks of doing the routing and IP masquerading (rewriting IP headers of the packets it routes from clients with private IP addresses onto the Internet so that they seem to come from the firewall itself) are commonly considered relatively secure.

This is often an old computer you may have retired and nearly forgotten, performing masquerading or routing functions, but offering non-firewall services such as a web-cache or mail. This may be used for home networks, but is not to be considered as secure as a firewall only machine because the combination of server and router/firewall on one machine raises the complexity of the setup.

Firewall with a Demilitarized Zone [Not Further Described Here]

This box performs masquerading or routing, but grants public access to some branch of your network which, because of public IPs and a physically separated structure, is essentially a separate network with direct Internet access. The servers on this network are those which must be easily accessible from both the Internet and intranet. The firewall protects both networks. This type of firewall has a minimum of three network interfaces.


This type of firewall does routing or masquerading, but does not maintain a state table of ongoing communication streams. It is fast, but quite limited in its ability to block undesired packets without blocking desired packets.

Now You Can Start to Build your Firewall


This introduction on how to setup a firewall is not a complete guide to securing systems. Firewalling is a complex issue that requires careful configuration. The scripts quoted here are simply intended to give examples of how a firewall works. They are not intended to fit into any particular configuration and may not provide complete protection from an attack.

Customization of these scripts for your specific situation will be necessary for an optimal configuration, but you should make a serious study of the iptables documentation and creating firewalls in general before hacking away. Have a look at the list of links for further reading at the end of this section for more details. There you will find a list of URLs that contain quite comprehensive information about building your own firewall.

The firewall configuration script installed in the iptables section differs from the standard configuration script. It only has two of the standard targets: start and status. The other targets are clear and lock. For instance if you issue:

/etc/rc.d/init.d/iptables start

the firewall will be restarted just as it is upon system startup. The status target will present a list of all currently implemented rules. The clear target turns off all firewall rules and the lock target will block all packets in and out of the computer with the exception of the loopback interface.

The main startup firewall is located in the file /etc/rc.d/rc.iptables. The sections below provide three different approaches that can be used for a system.


You should always run your firewall rules from a script. This ensures consistency and a record of what was done. It also allows retention of comments that are essential for understanding the rules long after they were written.

Personal Firewall

A Personal Firewall is designed to let you access all the services offered on the Internet, but keep your box secure and your data private.

Below is a slightly modified version of Rusty Russell's recommendation from the Linux 2.4 Packet Filtering HOWTO. It is still applicable to the Linux 2.6 kernels.

cat > /etc/rc.d/rc.iptables << "EOF"

# Begin rc.iptables

# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe nf_conntrack
modprobe xt_LOG

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects

# Do not send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

# Allow local-only connections
iptables -A INPUT  -i lo -j ACCEPT

# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT

# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

# End $rc_base/rc.iptables
chmod 700 /etc/rc.d/rc.iptables

This script is quite simple, it drops all traffic coming into your computer that wasn't initiated from your computer, but as long as you are simply surfing the Internet you are unlikely to exceed its limits.

If you frequently encounter certain delays at accessing FTP servers, take a look at BusyBox example number 4.

Even if you have daemons or services running on your system, these will be inaccessible everywhere but from your computer itself. If you want to allow access to services on your machine, such as ssh or ping, take a look at BusyBox.

Masquerading Router

A true Firewall has two interfaces, one connected to an intranet, in this example eth0, and one connected to the Internet, here ppp0. To provide the maximum security for the firewall itself, make sure that there are no unnecessary servers running on it such as X11 et al. As a general principle, the firewall itself should not access any untrusted service (think of a remote server giving answers that makes a daemon on your system crash, or even worse, that implements a worm via a buffer-overflow).

cat > /etc/rc.d/rc.iptables << "EOF"

# Begin rc.iptables

echo "You're using the example configuration for a setup of a firewall"
echo "from Beyond Linux From Scratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the configuration rules below."
echo "You can find additional information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo ""

# Insert iptables modules (not needed if built into the kernel).

modprobe nf_conntrack
modprobe nf_conntrack_ftp
modprobe xt_conntrack
modprobe xt_LOG
modprobe xt_state

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects

# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

# Allow local connections
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow forwarding if the initiated on the intranet
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW       -j ACCEPT

# Do masquerading
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE

# Log everything for debugging
# (last of all rules, but before policy rules)
iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "

# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
chmod 700 /etc/rc.d/rc.iptables

With this script your intranet should be reasonably secure against external attacks. No one should be able to setup a new connection to any internal service and, if it's masqueraded, makes your intranet invisible to the Internet. Furthermore, your firewall should be relatively safe because there are no services running that a cracker could attack.


If the interface you're connecting to the Internet doesn't connect via PPP, you will need to change <ppp+> to the name of the interface (e.g., eth1) which you are using.


This scenario isn't too different from the Masquerading Router, but additionally offers some services to your intranet. Examples of this can be when you want to administer your firewall from another host on your intranet or use it as a proxy or a name server.


Outlining a true concept of how to protect a server that offers services on the Internet goes far beyond the scope of this document. See the references at the end of this section for more information.

Be cautious. Every service you have enabled makes your setup more complex and your firewall less secure. You are exposed to the risks of misconfigured services or running a service with an exploitable bug. A firewall should generally not run any extra services. See the introduction to the Masquerading Router for some more details.

If you want to add services such as internal Samba or name servers that do not need to access the Internet themselves, the additional statements are quite simple and should still be acceptable from a security standpoint. Just add the following lines into the script before the logging rules.

iptables -A INPUT  -i ! ppp+  -j ACCEPT
iptables -A OUTPUT -o ! ppp+  -j ACCEPT

If daemons, such as squid, have to access the Internet themselves, you could open OUTPUT generally and restrict INPUT.

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT

However, it is generally not advisable to leave OUTPUT unrestricted. You lose any control over trojans who would like to "call home", and a bit of redundancy in case you've (mis-)configured a service so that it broadcasts its existence to the world.

To accomplish this, you should restrict INPUT and OUTPUT on all ports except those that it's absolutely necessary to have open. Which ports you have to open depends on your needs: mostly you will find them by looking for failed accesses in your log files.

Have a Look at the Following Examples:

  • Squid is caching the web:

    iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
      -j ACCEPT
  • Your caching name server (e.g., named) does its lookups via UDP:

    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
  • You want to be able to ping your computer to ensure it's still alive:

    iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
    iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT
  • If you are frequently accessing FTP servers or enjoy chatting, you might notice certain delays because some implementations of these daemons have the feature of querying an identd on your system to obtain usernames. Although there's really little harm in this, having an identd running is not recommended because many security experts feel the service gives out too much additional information.

    To avoid these delays you could reject the requests with a 'tcp-reset':

    iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
  • To log and drop invalid packets (packets that came in after netfilter's timeout or some types of network scans) insert these rules at the top of the chain:

    iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
      -j LOG --log-prefix "FIREWALL:INVALID "
    iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP
  • Anything coming from the outside should not have a private address, this is a common attack called IP-spoofing:

    iptables -A INPUT -i ppp+ -s     -j DROP
    iptables -A INPUT -i ppp+ -s  -j DROP
    iptables -A INPUT -i ppp+ -s -j DROP

    There are other addresses that you may also want to drop:,, (multicast and experimental), (Link Local Networks), and (IANA defined test network).

  • If your firewall is a DHCP client, you need to allow those packets:

    iptables -A INPUT  -i ppp0 -p udp -s --sport 67 \
       -d --dport 68 -j ACCEPT
  • To simplify debugging and be fair to anyone who'd like to access a service you have disabled, purposely or by mistake, you could REJECT those packets that are dropped.

    Obviously this must be done directly after logging as the very last lines before the packets are dropped by policy:

    iptables -A INPUT -j REJECT

These are only examples to show you some of the capabilities of the firewall code in Linux. Have a look at the man page of iptables. There you will find much more information. The port numbers needed for this can be found in /etc/services, in case you didn't find them by trial and error in your log file.


Finally, there is one fact you must not forget: The effort spent attacking a system corresponds to the value the cracker expects to gain from it. If you are responsible for valuable information, you need to spend the time to protect it properly.

Last updated on 2014-08-10 11:18:14 -0700

libcap-2.24 with PAM

Introduction to libcap with PAM

The libcap package was installed in LFS, but if PAM support is desired, it needs to be reinstalled after PAM is built.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

libcap Dependencies



User Notes:

Installation of libcap

Install libcap by running the following commands:

sed -i 's:LIBDIR:PAM_&:g' pam_cap/Makefile &&

This package does not come with a test suite.

If you want to disable installing the static library, use this sed:

sed -i '/install.*STALIBNAME/ s/^/#/' libcap/Makefile

Now, as the root user:

make prefix=/usr \
     SBINDIR=/sbin \
     PAM_LIBDIR=/lib \
     RAISE_SETFCAP=no install

Still as the root user, clean up some library locations and permissions:

chmod -v 755 /usr/lib/ &&
mv -v /usr/lib/* /lib &&
ln -sfv ../../lib/ /usr/lib/

Command Explanations

sed -i '...', PAM_LIBDIR=/lib: These correct PAM module install location.

RAISE_SETFCAP=no: This parameter skips trying to use setcap on itself. This avoids an installation error if the kernel or file system do not support extended capabilities.


Installed Programs: capsh, getcap, getpcaps, and setcap
Installed Library: libcap.{so,a}
Installed Directories: None

Short Descriptions


is a shell wrapper to explore and constrain capability support.


examines file capabilities.


displays the capabilities on the queried process(es).


sets file file capabilities.


contains the libcap API functions.

Last updated on 2014-09-10 06:19:10 -0700


Introduction to Linux PAM

The Linux PAM package contains Pluggable Authentication Modules used to enable the local system administrator to choose how applications authenticate users.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

Additional Downloads

Optional Documentation

Linux PAM Dependencies


Berkeley DB-6.1.19, CrackLib-2.9.1, libtirpc-0.2.5 and Prelude

Optional (To Rebuild the Documentation)

docbook-xml-4.5, docbook-xsl-1.78.1, fop-1.1, libxslt-1.1.28 and w3m-0.5.3

User Notes:

Installation of Linux PAM

If you downloaded the documentation, unpack the tarball by issuing the following command.

tar -xf ../Linux-PAM-1.1.8-docs.tar.bz2 --strip-components=1

Install Linux PAM by running the following commands:

./configure --prefix=/usr \
            --sysconfdir=/etc \
            --libdir=/usr/lib \
            --enable-securedir=/lib/security \
            --docdir=/usr/share/doc/Linux-PAM-1.1.8 &&

To test the results, a suitable /etc/pam.d/other configuration file must exist.

Reinstallation or upgrade of Linux PAM

If you have a system with Linux PAM installed and working, be careful when modifying the files in /etc/pam.d, since your system may become totally unusable. If you want to run the tests, you do not need to create another /etc/pam.d/other file. The installed one can be used for that purpose.

You should also be aware that make install overwrites the configuration files in /etc/security as well as /etc/environment. In case you have modified those files, be sure to backup them.

For a first installation, create the configuration file by issuing the following commands as the root user:

install -v -m755 -d /etc/pam.d &&

cat > /etc/pam.d/other << "EOF"
auth     required
account  required
password required
session  required

Now run the tests by issuing make check. Ensure there are no errors produced by the tests before continuing the installation.

Only in case of a first installation, remove the configuration file created earlier by issuing the following command as the root user:

rm -rfv /etc/pam.d

Now, as the root user:

make install &&
chmod -v 4755 /sbin/unix_chkpwd &&

for file in pam pam_misc pamc
  mv -v /usr/lib/lib${file}.so.* /lib &&
  ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so

Command Explanations

--enable-securedir=/lib/security: This switch sets install location for the PAM modules.

chmod -v 4755 /sbin/unix_chkpwd: The unix_chkpwd helper program must be setuid so that non-root processes can access the shadow file.

Configuring Linux-PAM

Config Files

/etc/security/* and /etc/pam.d/*

Configuration Information

Configuration information is placed in /etc/pam.d/. Below is an example file:

# Begin /etc/pam.d/other

auth            required     nullok
account         required
session         required
password        required     nullok

# End /etc/pam.d/other

The PAM man page (man pam) provides a good starting point for descriptions of fields and allowable entries. The Linux-PAM System Administrators' Guide is recommended for additional information.

Refer to for a list of various third-party modules available.


You should now reinstall the Shadow-4.2.1 package.


Installed Program: mkhomedir_helper, pam_tally, pam_tally2, pam_timestamp_check, unix_chkpwd and unix_update
Installed Libraries:, and
Installed Directories: /etc/security, /lib/security, /usr/include/security and /usr/share/doc/Linux-PAM-1.1.8

Short Descriptions


is a helper binary that creates home directories.


is used to interrogate and manipulate the login counter file.


is used to interrogate and manipulate the login counter file, but does not have some limitations that pam_tally does.


is used to check if the default timestamp is valid


is a helper binary that verifies the password of the current user.


is a helper binary that updates the password of a given user.

provides the interfaces between applications and the PAM modules.

Last updated on 2014-09-10 06:19:10 -0700

MIT Kerberos V5-1.12.2

Introduction to MIT Kerberos V5

MIT Kerberos V5 is a free implementation of Kerberos 5. Kerberos is a network authentication protocol. It centralizes the authentication database and uses kerberized applications to work with servers or services that support Kerberos allowing single logins and encrypted communication over internal networks or the Internet.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

MIT Kerberos V5 Dependencies


DejaGnu-1.5.1 (for full test coverage), GnuPG-2.0.26 (to authenticate the package), keyutils-1.5.9, OpenLDAP-2.4.39, Python-2.7.8 (used during the testsuite) and rpcbind-0.2.1 (used during the testsuite)


Some sort of time synchronization facility on your system (like ntp-4.2.6p5) is required since Kerberos won't authenticate if there is a time difference between a kerberized client and the KDC server.

User Notes:

Installation of MIT Kerberos V5

MIT Kerberos V5 is distributed in a TAR file containing a compressed TAR package and a detached PGP ASC file. You'll need to unpack the distribution tar file, then unpack the compressed tar file before starting the build.

After unpacking the distribution tarball and if you have GnuPG-2.0.26 installed, you can authenticate the package. First, check the contents of the file krb5-1.12.2.tar.gz.asc.

gpg2 --verify krb5-1.12.2.tar.gz.asc krb5-1.12.2.tar.gz

You will probably see output similar to:

gpg: Signature made Mon Aug 11 22:53:10 2014 GMT using RSA key ID 749D7889
gpg: Can't check signature: No public key

You can import the public key with:

gpg2 --pgp2 --keyserver --recv-keys 0x749D7889

Now re-verify the package with the first command above. You should get a indication of a good signature, but the key will still not be certified with a trusted signature. Trusting the downloaded key is a separate operation but it is up to you to determine the level of trust.

Build MIT Kerberos V5 by running the following commands:

cd src &&
sed -e "s@python2.5/Python.h@& python2.7/Python.h@g" \
    -e "s@-lpython2.5]@&,\n  AC_CHECK_LIB(python2.7,main,[PYTHON_LIB=-lpython2.7])@g" \
    -i &&
sed -e 's@\^u}@^u cols 300}@' \
    -i tests/dejagnu/config/default.exp &&
autoconf &&
./configure --prefix=/usr            \
            --sysconfdir=/etc        \
            --localstatedir=/var/lib \
            --with-system-et         \
            --with-system-ss         \
            --with-system-verto=no   \
            --enable-dns-for-realm &&

To test the build, issue: make check. You need at least Tcl-8.6.2, which is used to drive the testsuite. Furthermore, DejaGnu-1.5.1 must be available for some of the tests to run. If you have a former version of MIT Kerberos V5 installed, it may happen that the test suite pick up the installed versions of the libraries, rather than the newly built ones. If so, it is better to run the tests after the installation.

Now, as the root user:

make install &&

for LIBRARY in gssapi_krb5 gssrpc k5crypto kadm5clnt kadm5srv \
               kdb5 kdb_ldap krad krb5 krb5support verto ; do
    chmod -v 755 /usr/lib/lib$
done &&

mv -v /usr/lib/*        /lib &&
mv -v /usr/lib/*    /lib &&
mv -v /usr/lib/* /lib &&

ln -v -sf ../../lib/        /usr/lib/        &&
ln -v -sf ../../lib/    /usr/lib/    &&
ln -v -sf ../../lib/ /usr/lib/ &&

mv -v /usr/bin/ksu /bin &&
chmod -v 755 /bin/ksu   &&

install -v -dm755 /usr/share/doc/krb5-1.12.2 &&
cp -vfr ../doc/*  /usr/share/doc/krb5-1.12.2 &&


Command Explanations

sed -e ...: The first sed fixes Python detection. The second one increases the width of the virtual terminal used for some tests, to prevent some spurious characters to be echoed, which is taken as a failure.

--localstatedir=/var/lib: This parameter is used so that the Kerberos variable run-time data is located in /var/lib instead of /usr/var.

--with-system-et: This switch causes the build to use the system-installed versions of the error-table support software.

--with-system-ss: This switch causes the build to use the system-installed versions of the subsystem command-line interface software.

--with-system-verto=no: This switch fixes a bug in the package: it does not recognize its own verto library installed previously. This is not a problem, if reinstalling the same version, but if you are updating, the old library is used as system's one, instead of installing the new version.

--enable-dns-for-realm: This switch allows realms to be resolved using the DNS server.

mv -v /usr/bin/ksu /bin: Moves the ksu program to the /bin directory so that it is available when the /usr filesystem is not mounted.

--with-ldap: Use this switch if you want to compile OpenLDAP database backend module.

Configuring MIT Kerberos V5

Config Files

/etc/krb5.conf and /var/lib/krb5kdc/kdc.conf

Configuration Information

Kerberos Configuration


You should consider installing some sort of password checking dictionary so that you can configure the installation to only accept strong passwords. A suitable dictionary to use is shown in the CrackLib-2.9.1 instructions. Note that only one file can be used, but you can concatenate many files into one. The configuration file shown below assumes you have installed a dictionary to /usr/share/dict/words.

Create the Kerberos configuration file with the following commands issued by the root user:

cat > /etc/krb5.conf << "EOF"
# Begin /etc/krb5.conf

    default_realm = <LFS.ORG>
    encrypt = true

    <LFS.ORG> = {
        kdc = <>
        admin_server = <>
        dict_file = /usr/share/dict/words

    .<> = <LFS.ORG>

    kdc = SYSLOG[:INFO[:AUTH]]
    admin_server = SYSLOG[INFO[:AUTH]]
    default = SYSLOG[[:SYS]]

# End /etc/krb5.conf

You will need to substitute your domain and proper hostname for the occurrences of the <belgarath> and <> names.

default_realm should be the name of your domain changed to ALL CAPS. This isn't required, but both Heimdal and MIT recommend it.

encrypt = true provides encryption of all traffic between kerberized clients and servers. It's not necessary and can be left off. If you leave it off, you can encrypt all traffic from the client to the server using a switch on the client program instead.

The [realms] parameters tell the client programs where to look for the KDC authentication services.

The [domain_realm] section maps a domain to a realm.

Create the KDC database:

kdb5_util create -r <LFS.ORG> -s

Now you should populate the database with principals (users). For now, just use your regular login name or root.

kadmin.local: add_policy dict-only
kadmin.local: addprinc -policy dict-only <loginname>

The KDC server and any machine running kerberized server daemons must have a host key installed:

kadmin.local: addprinc -randkey host/<>

After choosing the defaults when prompted, you will have to export the data to a keytab file:

kadmin.local: ktadd host/<>

This should have created a file in /etc named krb5.keytab (Kerberos 5). This file should have 600 (root rw only) permissions. Keeping the keytab files from public access is crucial to the overall security of the Kerberos installation.

Exit the kadmin program (use quit or exit) and return back to the shell prompt. Start the KDC daemon manually, just to test out the installation:


Attempt to get a ticket with the following command:

kinit <loginname>

You will be prompted for the password you created. After you get your ticket, you can list it with the following command:


Information about the ticket should be displayed on the screen.

To test the functionality of the keytab file, issue the following command:

ktutil: rkt /etc/krb5.keytab
ktutil: l

This should dump a list of the host principal, along with the encryption methods used to access the principal.

At this point, if everything has been successful so far, you can feel fairly confident in the installation and configuration of the package.

Additional Information

For additional information consult the documentation for krb5-1.12.2 on which the above instructions are based.

Init Script

If you want to start Kerberos services at boot, install the /etc/rc.d/init.d/krb5 init script included in the blfs-bootscripts-20140919 package using the following command:

make install-krb5


Installed Programs: gss-client, gss-server, k5srvutil, kadmin, kadmin.local, kadmind, kdb5_ldap_util (optional), kdb5_util, kdestroy, kinit, klist, kpasswd, kprop, kpropd, kproplog, krb5-config, krb5kdc, krb5-send-pr, ksu, kswitch, ktutil, kvno, sclient, sim_client, sim_server, sserver, uuclient and uuserver
Installed Libraries:,,,,,,, (optional),,,,,, and some plugins under the /usr/lib/krb5 tree
Installed Directories: /usr/include/gssapi, /usr/include/gssrpc, /usr/include/kadm5, /usr/include/krb5, /usr/lib/krb5, /usr/share/doc/krb5-1.12.2, /usr/share/examples/krb5, /usr/share/gnats/, and /var/lib/krb5kdc

Short Descriptions


is a host keytable manipulation utility.


is an utility used to make modifications to the Kerberos database.


is a server for administrative access to a Kerberos database.


is the KDC database utility.


removes the current set of tickets.


is used to authenticate to the Kerberos server as a principal and acquire a ticket granting ticket that can later be used to obtain tickets for other services.


reads and displays the current tickets in the credential cache.


is a program for changing Kerberos 5 passwords.


takes a principal database in a specified format and converts it into a stream of database records.


receives a database sent by kprop and writes it as a local database.


gives information on how to link programs against libraries.


is the Kerberos 5 server.


is the super user program using Kerberos protocol. Requires a properly configured /etc/shells and ~/.k5login containing principals authorized to become super users.


makes the specified credential cache the primary cache for the collection, if a cache collection is available.


is a program for managing Kerberos keytabs.


prints keyversion numbers of Kerberos principals.


used to contact a sample server and authenticate to it using Kerberos 5 tickets, then display the server's response.


is the sample Kerberos 5 server.

contain the Generic Security Service Application Programming Interface (GSSAPI) functions which provides security services to callers in a generic fashion, supportable with a range of underlying mechanisms and technologies and hence allowing source-level portability of applications to different environments.

contains the administrative authentication and password checking functions required by Kerberos 5 client-side programs.

contain the administrative authentication and password checking functions required by Kerberos 5 servers.

is a Kerberos 5 authentication/authorization database access library.

contains the internal support library for RADIUS functionality.

is an all-purpose Kerberos 5 library.

Last updated on 2014-09-19 13:27:36 -0700


Introduction to Nettle

The Nettle package contains the low-level cryptographic library that is designed to fit easily in many contexts.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

Nettle Dependencies


OpenSSL-1.0.1i (for examples)

User Notes:

Installation of Nettle

Install Nettle by running the following commands:

./configure --prefix=/usr &&

To test the results, issue: make check.

If you want to disable installing the static library, use this sed:

sed -i '/^install-here/ s/install-static//' Makefile

Now, as the root user:

make install &&
chmod -v 755 /usr/lib/ /usr/lib/ &&
install -v -m755 -d /usr/share/doc/nettle-2.7.1 &&
install -v -m644 nettle.html /usr/share/doc/nettle-2.7.1


Installed Programs: nettle-hash, nettle-lfib-stream, pkcs1-conv and sexp-conv
Installed Libraries: libhogweed.{so,a} and libnettle.{so,a}
Installed Directory: /usr/include/nettle

Short Descriptions


calulates a hash value using a specified algorithm.


outputs a sequence of pseudorandom (non-cryptographic) bytes, using Knuth's lagged fibonacci generator. The stream is useful for testing, but should not be used to generate cryptographic keys or anything else that needs real randomness.


converts private and public RSA keys from PKCS #1 format to sexp format.


converts an s-expression to a different encoding.

Last updated on 2014-09-10 06:19:10 -0700


Introduction to NSS

The Network Security Services (NSS) package is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. This is useful for implementing SSL and S/MIME or other Internet security standards into an application.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

Additional Downloads

NSS Dependencies




User Notes:

Installation of NSS


This package does not support parallel build.

Install NSS by running the following commands:

patch -Np1 -i ../nss-3.17-standalone-1.patch &&

cd nss &&
make BUILD_OPT=1                      \
  NSPR_INCLUDE_DIR=/usr/include/nspr  \
  USE_SYSTEM_ZLIB=1                   \
  ZLIB_LIBS=-lz                       \
  $([ $(uname -m) = x86_64 ] && echo USE_64=1) \
  $([ -f /usr/include/sqlite3.h ] && echo NSS_USE_SYSTEM_SQLITE=1) -j1

This package does not come with a test suite.

Now, as the root user:

cd ../dist                                                       &&
install -v -m755 Linux*/lib/*.so              /usr/lib           &&
install -v -m644 Linux*/lib/{*.chk,libcrmf.a} /usr/lib           &&
install -v -m755 -d                           /usr/include/nss   &&
cp -v -RL {public,private}/nss/*              /usr/include/nss   &&
chmod -v 644                                  /usr/include/nss/* &&
install -v -m755 Linux*/bin/{certutil,nss-config,pk12util} /usr/bin &&
install -v -m644 Linux*/lib/pkgconfig/nss.pc  /usr/lib/pkgconfig

Command Explanations

BUILD_OPT=1: This option is passed to make so that the build is performed with no debugging symbols built into the binaries and the default compiler optimizations are used.

NSPR_INCLUDE_DIR=/usr/include/nspr: This option sets the location of the nspr headers.

USE_SYSTEM_ZLIB=1: This option is passed to make to ensure that the library is linked to the system installed zlib instead of the in-tree version.

ZLIB_LIBS=-lz: This option provides the linker flags needed to link to the system zlib.

$([ $(uname -m) = x86_64 ] && echo USE_64=1): The USE_64=1 option is required on x86_64, otherwise make will try (and fail) to create 32-bit objects. The [ $(uname -m) = x86_64 ] test ensures it has no effect on a 32 bit system.

([ -f /usr/include/sqlite3.h ] && echo NSS_USE_SYSTEM_SQLITE=1): This tests if sqlite is installed and if so it echos the option NSS_USE_SYSTEM_SQLITE=1 to make so that will link against the system version of sqlite.


Installed Programs: certutil, nss-config, and pk12util
Installed Libraries: libcrmf.a,,,,,,,,, and
Installed Directories: /usr/include/nss

Short Descriptions


is the Mozilla Certificate Database Tool. It is a command-line utility that can create and modify the Netscape Communicator cert8.db and key3.db database files. It can also list, generate, modify, or delete certificates within the cert8.db file and create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key3.db file.


is used to determine the NSS library settings of the installed NSS libraries.


is a tool for importing certificates and keys from pkcs #12 files into NSS or exporting them. It can also list certificates and keys in such files.

Last updated on 2014-09-15 22:13:43 -0700


Introduction to OpenSSH

The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network. The ssh and scp commands are secure implementions of telnet and rcp respectively.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

OpenSSH Dependencies




Linux-PAM-1.1.8, X Window System, MIT Kerberos V5-1.12.2, libedit, OpenSC, and libsectok

Optional Runtime (Used only to gather entropy)

OpenJDK-, Net-tools-CVS_20101030, and Sysstat-11.1.1

User Notes:

Installation of OpenSSH

OpenSSH runs as two processes when connecting to other computers. The first process is a privileged process and controls the issuance of privileges as necessary. The second process communicates with the network. Additional installation steps are necessary to set up the proper environment, which are performed by issuing the following commands as the root user:

install -v -m700 -d /var/lib/sshd &&
chown   -v root:sys /var/lib/sshd &&

groupadd -g 50 sshd &&
useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd

Install OpenSSH by running the following commands:

./configure --prefix=/usr                     \
            --sysconfdir=/etc/ssh             \
            --with-md5-passwords              \
            --with-privsep-path=/var/lib/sshd &&

The testsuite requires an installed copy of scp to complete the multiplexing tests. To run the test suite, first copy the scp program to /usr/bin, making sure that you back up any existing copy first.

To test the results, issue: make tests.

Now, as the root user:

make install                                  &&
install -v -m755 contrib/ssh-copy-id /usr/bin &&
install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 &&
install -v -m755 -d /usr/share/doc/openssh-6.6p1           &&
install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-6.6p1

Command Explanations

--sysconfdir=/etc/ssh: This prevents the configuration files from being installed in /usr/etc.

--with-md5-passwords: This enables the use of MD5 passwords.

--with-pam: This parameter enables Linux-PAM support in the build.

--with-xauth=/usr/bin/xauth: Set the default location for the xauth binary for X authentication. Change the location if xauth will be installed to a different path. This can also be controlled from sshd_config with the XAuthLocation keyword. You can omit this switch if Xorg is already installed.

--with-kerberos5=/usr: This option is used to include Kerberos 5 support in the build.

--with-libedit: This option enables line editing and history features for sftp.

Configuring OpenSSH

Config Files

~/.ssh/*, /etc/ssh/ssh_config, and /etc/ssh/sshd_config

There are no required changes to any of these files. However, you may wish to view the /etc/ssh/ files and make any changes appropriate for the security of your system. One recommended change is that you disable root login via ssh. Execute the following command as the root user to disable root login via ssh:

echo "PermitRootLogin no" >> /etc/ssh/sshd_config

If you want to be able to log in without typing in your password, first create ~/.ssh/id_rsa and ~/.ssh/ with ssh-keygen and then copy ~/.ssh/ to ~/.ssh/authorized_keys on the remote computer that you want to log into. You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote computer and you'll also need to enter your password for the ssh-copy-id command to succeed:

ssh-keygen &&

Once you've got passwordless logins working it's actually more secure than logging in with a password (as the private key is much longer than most people's passwords). If you would like to now disable password logins, as the root user:

echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config

If you added LinuxPAM support and you want ssh to use it then you will need to add a configuration file for sshd and enable use of LinuxPAM. Note, ssh only uses PAM to check passwords, if you've disabled password logins these commands are not needed. If you want to use PAM issue the following commands as the root user:

sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
chmod 644 /etc/pam.d/sshd &&
echo "UsePAM yes" >> /etc/ssh/sshd_config

Additional configuration information can be found in the man pages for sshd, ssh and ssh-agent.

Boot Script

To start the SSH server at system boot, install the /etc/rc.d/init.d/sshd init script included in the blfs-bootscripts-20140919 package.

make install-sshd


Installed Programs: scp, sftp, sftp-server, slogin (symlink to ssh), ssh, sshd, ssh-add, ssh-agent, ssh-copy-id, ssh-keygen, ssh-keyscan, ssh-keysign, and ssh-pkcs11-helper
Installed Libraries: None
Installed Directories: /etc/ssh, /usr/libexec/openssh, /usr/share/doc/openssh-6.6p1, and /var/lib/sshd

Short Descriptions


is a file copy program that acts like rcp except it uses an encrypted protocol.


is an FTP-like program that works over the SSH1 and SSH2 protocols.


is an SFTP server subsystem. This program is not normally called directly by the user.


is a symlink to ssh.


is an rlogin/rsh-like client program except it uses an encrypted protocol.


is a daemon that listens for ssh login requests.


is a tool which adds keys to the ssh-agent.


is an authentication agent that can store private keys.


is a script that enables logins on remote machine using local keys.


is a key generation tool.


is a utility for gathering public host keys from a number of hosts.


is used by ssh to access the local host keys and generate the digital signature required during hostbased authentication with SSH protocol version 2. This program is not normally called directly by the user.


is a ssh-agent helper program for PKCS#11 support.

Last updated on 2014-09-08 23:39:08 -0700


Introduction to OpenSSL

The OpenSSL package contains management tools and libraries relating to cryptography. These are useful for providing cryptography functions to other packages, such as OpenSSH, email applications and web browsers (for accessing HTTPS sites).

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

Additional Downloads

OpenSSL Dependencies


MIT Kerberos V5-1.12.2

User Notes:

Installation of OpenSSL

Install OpenSSL with the following commands:

patch -Np1 -i ../openssl-1.0.1i-fix_parallel_build-1.patch &&

./config --prefix=/usr         \
         --openssldir=/etc/ssl \
         --libdir=lib          \
         shared                \
         zlib-dynamic &&

To test the results, issue: make test.

If you want to disable installing the static libraries, use this sed:

sed -i 's# libcrypto.a##;s# libssl.a##' Makefile

Now, as the root user:

make MANDIR=/usr/share/man MANSUFFIX=ssl install &&
install -dv -m755 /usr/share/doc/openssl-1.0.1i  &&
cp -vfr doc/*     /usr/share/doc/openssl-1.0.1i

Command Explanations

shared: This parameter forces the creation of shared libraries along with the static libraries.

zlib-dynamic: This parameter adds compression/decompression functionality using the libz library.

no-rc5 no-idea: When added to the ./config command, this will eliminate the building of those encryption methods. Patent licenses may be needed for you to utilize either of those methods in your projects.

make MANDIR=/usr/share/man MANSUFFIX=ssl install: This command installs OpenSSL with the man pages in /usr/share/man instead of /etc/ssl/man and appends "ssl" suffix to the manual page names to avoid conflicts with manual pages installed by other packages.

Configuring OpenSSL

Config Files


Configuration Information

Most users will want to install Certificate Authority Certificates for validation of downloaded certificates. For example, these certificates can be used by git-2.1.0, cURL-7.37.1 or Wget-1.15 when accessing secure (https protocol) sites. To do this, follow the instructions from the Certificate Authority Certificates page.

Users who just want to use OpenSSL for providing functions to other programs such as OpenSSH and web browsers do not need to worry about additional configuration. This is an advanced topic and so those who do need it would normally be expected to either know how to properly update /etc/ssl/openssl.cnf or be able to find out how to do it.


Installed Programs: c_rehash and openssl
Installed Libraries: libcrypto.{so,a}, libssl.{so,a} and several under /usr/lib/engines/
Installed Directories: /etc/ssl, /usr/include/openssl, /usr/lib/engines and /usr/share/doc/openssl-1.0.1i

Short Descriptions


is a Perl script that scans all files in a directory and adds symbolic links to their hash values.


is a command-line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. It can be used for various functions which are documented in man 1 openssl.


implements a wide range of cryptographic algorithms used in various Internet standards. The services provided by this library are used by the OpenSSL implementations of SSL, TLS and S/MIME, and they have also been used to implement OpenSSH, OpenPGP, and other cryptographic standards.


implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It provides a rich API, documentation on which can be found by running man 3 ssl.

Last updated on 2014-09-08 23:39:08 -0700


Introduction to p11-kit

The p11-kit package Provides a way to load and enumerate PKCS #11 (a Cryptographic Token Interface Standard) modules.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

p11-kit Dependencies


NSS-3.17, GTK-Doc-1.20 and libxslt-1.1.28

User Notes:

Installation of p11-kit

Install p11-kit by running the following commands:

./configure --prefix=/usr --sysconfdir=/etc &&

To test the results, issue: make check. The test-token test is known to fail.

Now, as the root user:

make install

Command Explanations

--with-hash-impl=freebl: Use this switch if you want to use Freebl library from NSS for SHA1 and MD5 hashing.

--enable-doc: Use this switch if you have installed GTK-Doc-1.20 and libxslt-1.1.28 and wish to rebuild the documentation and generate manual pages.


Installed Program: p11-kit and trust
Installed Libraries:, and /usr/lib/pkcs11/
Installed Directories: /etc/pkcs11, /usr/include/p11-kit-1, /usr/lib/{p11-kit,pkcs11}, /usr/share/gtk-doc/html/p11-kit, and /usr/share/p11-kit

Short Descriptions


is a command line tool that can be used to perform operations on PKCS#11 modules configured on the system.

contains functions used to coordinate initialization and finalization of any PKCS#11 module.

is the PKCS#11 proxy module.

Last updated on 2014-09-16 10:29:57 -0700


Introduction to Polkit

Polkit is a toolkit for defining and handling authorizations. It is used for allowing unprivileged processes to communicate with privileged processes.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

Polkit Dependencies


GLib-2.40.0, and JS-17.0.0

Optional (Required if building GNOME)



docbook-xml-4.5, docbook-xsl-1.78.1, GTK-Doc-1.20, libxslt-1.1.28 and Linux-PAM-1.1.8


If libxslt-1.1.28 is installed, then docbook-xml-4.5 and docbook-xsl-1.78.1 are required. If you have installed libxslt-1.1.28, but you do not want to install any of the DocBook packages mentioned, you will need to use --disable-man-pages in the instructions below.

User Notes:

Installation of Polkit

There should be a dedicated user and group to take control of the polkitd daemon after it is started. Issue the following commands as the root user:

groupadd -fg 27 polkitd &&
useradd -c "PolicyKit Daemon Owner" -d /etc/polkit-1 -u 27 \
        -g polkitd -s /bin/false polkitd

Install Polkit by running the following commands:

./configure --prefix=/usr                \
            --sysconfdir=/etc            \
            --localstatedir=/var         \
            --disable-static             \
            --enable-libsystemd-login=no \
            --with-authfw=shadow         &&

To test the results, issue: make check. Note that system D-Bus daemon must be running for the testsuite to complete. There is also a warning about ConsoleKit database not present, but that one can be safely ignored.

Now, as the root user:

make install

Command Explanations

--enable-libsystemd-login=no: This parameter fixes building without systemd, which is not part of LFS/BLFS. If you use systemd, replace "no" by "yes".

--with-authfw=shadow: This parameter configures the package to use the Shadow rather than the Linux PAM Authentication framework. Remove it if you would like to use Linux PAM.

--disable-static: This switch prevents installation of static versions of the libraries.

--enable-gtk-doc: Use this parameter if GTK-Doc is installed and you wish to rebuild and install the API documentation.

Configuring Polkit

PAM Configuration


If you did not build Polkit with Linux PAM support, you can skip this section.

If you have built Polkit with Linux PAM support, you need to modify the default PAM configuration file which was installed by default to get Polkit to work correctly with BLFS. Issue the following commands as the root user to create the configuration file for Linux PAM:

cat > /etc/pam.d/polkit-1 << "EOF"
# Begin /etc/pam.d/polkit-1

auth     include        system-auth
account  include        system-account
password include        system-password
session  include        system-session

# End /etc/pam.d/polkit-1


Installed Programs: pkaction, pkcheck, pk-example-frobnicate, pkexec, pkttyagent and polkitd
Installed Libraries: and
Installed Directories: /etc/polkit-1, /usr/include/polkit-1, /usr/lib/polkit-1, /usr/share/gtk-doc/html/polkit-1 and /usr/share/polkit-1

Short Descriptions


is used to obtain information about registered PolicyKit actions.


is used to check whether a process is authorized for action.


allows an authorized user to execute a command as another user.


is used to start a textual authentication agent for the subject.


provides the org.freedesktop.PolicyKit1 D-Bus service on the system message bus.

contains the Polkit authentication agent API functions.

contains the Polkit authorization API functions.

Last updated on 2014-09-09 12:00:35 -0700


Introduction to Shadow

Shadow was indeed installed in LFS and there is no reason to reinstall it unless you installed CrackLib or Linux-PAM after your LFS system was completed. If you have installed CrackLib after LFS, then reinstalling Shadow will enable strong password support. If you have installed Linux-PAM, reinstalling Shadow will allow programs such as login and su to utilize PAM.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

Shadow Dependencies


Linux-PAM-1.1.8 or CrackLib-2.9.1

User Notes:

Installation of Shadow


The installation commands shown below are for installations where Linux-PAM has been installed (with or without a CrackLib installation) and Shadow is being reinstalled to support the Linux-PAM installation.

If you are reinstalling Shadow to provide strong password support using the CrackLib library without using Linux-PAM, ensure you add the --with-libcrack parameter to the configure script below and also issue the following command:

sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs

Reinstall Shadow by running the following commands:

sed -i 's/groups$(EXEEXT) //' src/ &&
find man -name -exec sed -i 's/groups\.1 / /' {} \; &&

       -e 's@/var/spool/mail@/var/mail@' etc/login.defs &&

sed -i 's/1000/999/' etc/useradd &&

./configure --sysconfdir=/etc --with-group-name-max-length=32 &&

This package does not come with a test suite.

Now, as the root user:

make install &&
mv -v /usr/bin/passwd /bin

Command Explanations

sed -i 's/groups$(EXEEXT) //' src/ This sed is used to suppress the installation of the groups program as the version from the Coreutils package installed during LFS is preferred.

find man -name -exec ... {} \;: This command is used to suppress the installation of the groups man pages so the existing ones installed from the Coreutils package are not replaced.

sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD SHA512@' -e 's@/var/spool/mail@/var/mail@' etc/login.defs: Instead of using the default 'DES' method, this command modifies the installation to use the more secure 'SHA512' method of hashing passwords, which also allows passwords longer than eight characters. It also changes the obsolete /var/spool/mail location for user mailboxes that Shadow uses by default to the /var/mail location.

sed -i 's/1000/999/' etc/useradd: Make a minor change to make the default useradd consistent with the LFS groups file.

--with-group-name-max-length=32: The maximum user name is 32 characters. Make the maximum group name the same.

mv -v /usr/bin/passwd /bin: The passwd program may be needed during times when the /usr filesystem is not mounted so it is moved into the root partition.

Configuring Shadow

Shadow's stock configuration for the useradd utility may not be desirable for your installation. One default parameter causes useradd to create a mailbox file for any newly created user. useradd will make the group ownership of this file to the mail group with 0660 permissions. If you would prefer that these mailbox files are not created by useradd, issue the following command as the root user:

sed -i 's/yes/no/' /etc/default/useradd

Configuring Linux-PAM to Work with Shadow


The rest of this page is devoted to configuring Shadow to work properly with Linux-PAM. If you do not have Linux-PAM installed, and you reinstalled Shadow to support strong passwords via the CrackLib library, no further configuration is required.

Config Files

/etc/pam.d/* or alternatively /etc/pam.conf, /etc/login.defs and /etc/security/*

Configuration Information

Configuring your system to use Linux-PAM can be a complex task. The information below will provide a basic setup so that Shadow's login and password functionality will work effectively with Linux-PAM. Review the information and links on the Linux-PAM-1.1.8 page for further configuration information. For information specific to integrating Shadow, Linux-PAM and CrackLib, you can visit the following link:

Configuring /etc/login.defs

The login program currently performs many functions which Linux-PAM modules should now handle. The following sed command will comment out the appropriate lines in /etc/login.defs, and stop login from performing these functions (a backup file named /etc/login.defs.orig is also created to preserve the original file's contents). Issue the following commands as the root user:

install -v -m644 /etc/login.defs /etc/login.defs.orig &&
for FUNCTION in FAIL_DELAY               \
                FAILLOG_ENAB             \
                LASTLOG_ENAB             \
                MAIL_CHECK_ENAB          \
                OBSCURE_CHECKS_ENAB      \
                PORTTIME_CHECKS_ENAB     \
                QUOTAS_ENAB              \
                CONSOLE MOTD_FILE        \
                FTMP_FILE NOLOGINS_FILE  \
                ENV_HZ PASS_MIN_LEN      \
                SU_WHEEL_ONLY            \
                CRACKLIB_DICTPATH        \
                PASS_CHANGE_TRIES        \
                PASS_ALWAYS_WARN         \
                CHFN_AUTH ENCRYPT_METHOD \
    sed -i "s/^${FUNCTION}/# &/" /etc/login.defs
Configuring the /etc/pam.d/ Files

As mentioned previously in the Linux-PAM instructions, Linux-PAM has two supported methods for configuration. The commands below assume that you've chosen to use a directory based configuration, where each program has its own configuration file. You can optionally use a single /etc/pam.conf configuration file by using the text from the files below, and supplying the program name as an additional first field for each line.

As the root user, replace the following Linux-PAM configuration files in the /etc/pam.d/ directory (or add the contents to the /etc/pam.conf file) using the following commands:

cat > /etc/pam.d/system-account << "EOF"
# Begin /etc/pam.d/system-account

account   required

# End /etc/pam.d/system-account
cat > /etc/pam.d/system-auth << "EOF"
# Begin /etc/pam.d/system-auth

auth      required

# End /etc/pam.d/system-auth
'system-passwd' (with cracklib)
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# check new passwords for strength (man pam_cracklib)
password  required   type=Linux retry=3 difok=5 \
                                        difignore=23 minlen=9 dcredit=1 \
                                        ucredit=1 lcredit=1 ocredit=1 \
# use sha512 hash for encryption, use shadow, and use the
# authentication token (chosen password) set by pam_cracklib
# above (or any previous modules)
password  required       sha512 shadow use_authtok

# End /etc/pam.d/system-password


In its default configuration, owing to credits, pam_cracklib will allow multiple case passwords as short as 6 characters, even with the minlen value set to 11. You should review the pam_cracklib(8) man page and determine if these default values are acceptable for the security of your system.

'system-passwd' (without cracklib)
cat > /etc/pam.d/system-password << "EOF"
# Begin /etc/pam.d/system-password

# use sha512 hash for encryption, use shadow, and try to use any previously
# defined authentication token (chosen password) set by any prior module
password  required       sha512 shadow try_first_pass

# End /etc/pam.d/system-password
cat > /etc/pam.d/system-session << "EOF"
# Begin /etc/pam.d/system-session

session   required

# End /etc/pam.d/system-session
cat > /etc/pam.d/login << "EOF"
# Begin /etc/pam.d/login

# Set failure delay before next prompt to 3 seconds
auth      optional  delay=3000000

# Check to make sure that the user is allowed to login
auth      requisite

# Check to make sure that root is allowed to login
# Disabled by default. You will need to create /etc/securetty
# file for this module to function. See man 5 securetty.
#auth      required

# Additional group memberships - disabled by default
#auth      optional

# include the default auth settings
auth      include     system-auth

# check access for the user
account   required

# include the default account settings
account   include     system-account

# Set default environment variables for the user
session   required

# Set resource limits for the user
session   required

# Display date of last login - Disabled by default
#session   optional

# Display the message of the day - Disabled by default
#session   optional

# Check user's mail - Disabled by default
#session   optional      standard quiet

# include the default session and password settings
session   include     system-session
password  include     system-password

# End /etc/pam.d/login
cat > /etc/pam.d/passwd << "EOF"
# Begin /etc/pam.d/passwd

password  include     system-password

# End /etc/pam.d/passwd
cat > /etc/pam.d/su << "EOF"
# Begin /etc/pam.d/su

# always allow root
auth      sufficient
auth      include     system-auth

# include the default account settings
account   include     system-account

# Set default environment variables for the service user
session   required

# include system session defaults
session   include     system-session

# End /etc/pam.d/su
cat > /etc/pam.d/chage << "EOF"
#Begin /etc/pam.d/chage

# always allow root
auth      sufficient

# include system defaults for auth account and session
auth      include     system-auth
account   include     system-account
session   include     system-session

# Always permit for authentication updates
password  required

# End /etc/pam.d/chage
Other common programs
for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
               groupmems groupmod newusers useradd userdel usermod
    install -v -m644 /etc/pam.d/chage /etc/pam.d/${PROGRAM}
    sed -i "s/chage/$PROGRAM/" /etc/pam.d/${PROGRAM}


At this point, you should do a simple test to see if Shadow is working as expected. Open another terminal and log in as a user, then su to root. If you do not see any errors, then all is well and you should proceed with the rest of the configuration. If you did receive errors, stop now and double check the above configuration files manually. You can also run the test suite from the Linux-PAM package to assist you in determining the problem. If you cannot find and fix the error, you should recompile Shadow adding the --without-libpam switch to the configure command in the above instructions (also move the /etc/login.defs.orig backup file to /etc/login.defs). If you fail to do this and the errors remain, you will be unable to log into your system.


Currently, /etc/pam.d/other is configured to allow anyone with an account on the machine to use PAM-aware programs without a configuration file for that program. After testing Linux-PAM for proper configuration, install a more restrictive other file so that program-specific configuration files are required:

cat > /etc/pam.d/other << "EOF"
# Begin /etc/pam.d/other

auth        required
auth        required
account     required
account     required
password    required
password    required
session     required
session     required

# End /etc/pam.d/other
Configuring Login Access

Instead of using the /etc/login.access file for controlling access to the system, Linux-PAM uses the module along with the /etc/security/access.conf file. Rename the /etc/login.access file using the following command:

[ -f /etc/login.access ] && mv -v /etc/login.access{,.NOUSE}
Configuring Resource Limits

Instead of using the /etc/limits file for limiting usage of system resources, Linux-PAM uses the module along with the /etc/security/limits.conf file. Rename the /etc/limits file using the following command:

[ -f /etc/limits ] && mv -v /etc/limits{,.NOUSE}


A list of the installed files, along with their short descriptions can be found at

Last updated on 2014-09-10 06:19:10 -0700


Introduction to ssh-askpass

The ssh-askpass is a generic executable name for many packages, with similar names, that provide a interactive X service to grab password for packages requiring administrative privileges to be run. It prompts the user with a window box where the necessary password can be inserted. Here, we choose Damien Miller's package distributed in the OpenSSH tarball.

This package is known to build and work properly using an LFS-7.6 platform.

Package Information

ssh-askpass Dependencies


GTK+-2.24.24, Sudo-1.8.10p3 (runtime), Xorg Libraries, and X Window System (runtime)

User Notes:

Installation of ssh-askpass

Install ssh-askpass by running the following commands:

cd contrib &&
make gnome-ssh-askpass2

Now, as the root user:

install -v -d -m755                  /usr/libexec/openssh/contrib     &&
install -v -m755  gnome-ssh-askpass2 /usr/libexec/openssh/contrib     &&
ln -sv -f contrib/gnome-ssh-askpass2 /usr/libexec/openssh/ssh-askpass

The use of /usr/libexec/openssh/contrib and a symlink is justified by the eventual necessity of a different program for that service.

Configuring ssh-askpass

Configuration Information

As the root user, configure Sudo-1.8.10p3 to use ssh-askpass:

cat >> /etc/sudo.conf << "EOF" &&
# Path to askpass helper program
Path askpass /usr/libexec/openssh/ssh-askpass
chmod -v 0644 /etc/sudo.conf

If a given graphical <application> requires administrative privileges, use sudo -A <application> from an x-terminal, from a Window Manager menu and/or replace "Exec=<application> ..." by "Exec=sudo -A <application> ..." in the <application>.desktop file.


Installed Programs: ssh-askpass (symlink) and gnome-ssh-askpass2
Installed Library: None
Installed Directory: /usr/libexec/openssh/contrib

Short Descriptions


is the program help