hardened uclibc: security-enhanced, fully featured XFCE4 desktop for amd64, built on uClibc

Anthony G. Basile basile at opensource.dyc.edu
Wed Jun 5 14:15:35 UTC 2013


Hi everyone,

I'm forwarding an announcement I made on 
gentoo-announce at lists.gentoo.org.  It may be of interest to this list too:

I'd like to announce a new (fun?) initiative of the hardened uClibc 
subproject: a security-enhanced, fully featured XFCE4 desktop for amd64, 
built on uClibc, codenamed "Lilblue", after the little blue penguin of 
New Zealand [1], a smaller cousin of the Gentoo.

The hardened uClibc subproject aims at producing hardened stage3s for 
amd64, mips (isa=mips32r2/mipsel3, abi=o32), armv7a (softfloat) and i686 
[2].  Recent improvements in uClibc and bugfixes in various Gentoo 
packages, both downstream and upstream, now make it possible to build an 
entire desktop system replacing glibc with uClibc.  So, in addition to 
the stage3s, we are now releasing a fully featured XFCE4 desktop for 
arch=amd64.  It does *not* depend on busybox to provide its core 
utilities like most uClibc systems, but coreutils, util-linux and all 
the usual system packages you find on a generic Gentoo system.  The 
tarball bundles about 800 packages including ephiphany, claws, hexchat, 
abiword, gqview, transmission, vinagre, etc.  We have plans to provide 
binpkgs for up to 7000 packages in all.  The hardening includes all of 
the usual toolchain and kernel hardening you get in regular hardened 
glibc-based Gentoo.

The project has been in development for a year but should be considered 
experimental.  A user base of ... uhm ... one ... does not really 
qualify it to be labeled as "safe for production" [3]. However, I have 
had no issues with it (minor bugs of course) and I use it on a daily 
basis.  For the average user, the main advantage is speed and the system 
does feel "snappy".  For developers, its fun to dig into bugs which 
revolve around what functions are provided by your standard C lib: is 
this POSIX or a GNU-ism?  should I fix the package or add a new function 
to uClibc?  what is the best way to implement this fix so it ports 
across different *libcs?  what do I do about this package whose build 
system is braindead and doesn't understand libdir?  If you have too much 
time on your hands and you're into that kind of "fun" we have a project 
for you!  On a serious note, the main reason for this initiative is to 
explore and expand the usefulness of an alternative standard C library.

The home page is at [4] and a freecode.com announcement at [5].  It can 
be downloaded from any gentoo mirror [6] at 
[mirror]/gentoo/experimental/amd64/uclibc/desktop-amd64-uclibc-hardened-[date].tar.bz2. 
The date of the first release is 20130531.

Ref.
[1] https://en.wikipedia.org/wiki/Little_Penguin
[2] http://www.gentoo.org/proj/en/hardened/uclibc/index.xml
[3] This is not entirely true.  I would like to thank my students for 
testing, especially Devan Franchini <twitch153 at hotmail.com>.
[4] http://www.gentoo.org/proj/en/hardened/uclibc/lilblue.xml
[5] https://freecode.com/projects/lilblue-linux
[6] http://www.gentoo.org/main/en/mirrors2.xml

-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197


More information about the uClibc mailing list