linux-from-scratch/lfs-buildscripts
1
0
Fork 0
mirror of https://github.com/YellowJacketLinux/lfs-buildscripts.git synced 2025-01-23 05:52:21 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

doc updates

Browse Source
This commit is contained in:
YellowJacketLinux 2024-10-11 22:55:35 -07:00
parent 37f557f41b
commit 1debcf6060
2 changed files with 47 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
SECURE_DNS.md
View File

@ -101,7 +101,7 @@ have not seen researched.
If (and when if not currently) `systemd-resolved` with DNSSEC validation works
smoothly and reliably it absolutely should be used in place of
`/etc/resolv.conf` for DNS resolution of a Linux desktop.
`/etc/resolv.conf` for DNS resolution of a GNU/Linux desktop.
Until `systemd-resolved` with DNSSEC validation works smoothly and reliably,
the best solution is to run `unbound` in DNSSEC enforcing mode on your local
@ -115,7 +115,7 @@ DNS over TLS (DoT)
------------------
DNS over TLS is just like regular DNS except it uses a TLS connection to make
the request and receive the answer.
the request and receive the answer. DoT should not be confused with DoH.
DoT does offer protection against DNS injection attacks between the client and
the recursive server it queries, but it is important to understand that DoT is
@ -167,7 +167,7 @@ activity. If your system is configured to *only* allow DoT queries, your system
will not work on a network that blocks DoT queries.
Honestly I just recommend desktop systems enforce DNSSEC but should avoid DoT
and only use opportunistic DoT when if they really want to use it at all.
and only use opportunistic DoT when and if they really want to use it at all.
Recursive DNS servers absolutely should use DoT when communicating with the
authoritative DNS servers they query, however, even then it should be
@ -186,8 +186,8 @@ default but users will be told how to enable it in opportunistic mode.
Until `systemd-resolved` works well and smoothly in DNSSEC enforcing mode, I
will disable it by default. Users who want it of course can enable it. I really
do not YJL to be a distribution that pushes technology not quite ready for mass
adoption on its users.
do not want YJL to be a distribution that pushes technology not quite ready for
mass adoption on its users.
If `systemd-resolved` with DNSSEC support is not yet working well and smoothly
when the first official YJL release happens, then YJL will ship with `unbound`

43
THE_WHY.md
View File

@ -275,11 +275,44 @@ Google Noto fonts will provide decent coverage but probably are not the best
collection of fonts for many scripts out there.
To Be Researched
----------------
A lot of hardware, especially modern hardware, requires binary blobs to properly
function. These binary blobs can often be found in the Linux Firmware git at:
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/
As they are binary blobs, they can not be shipped as part of a Linux kernel
package because of the GPL but they can be shipped as part of a separate package
and then loaded by the kernel while the kernel is booting.
Loading them by the kernel while the kernel is booting generally requires that
they be placed into an `initrd` image that the `grub` boot loader knows about.
BLFS has a really good write-up on this in Chapter 3 but I need to do a lot more
research on the topic *especially* since the proper way to handle it may depend
specifically on the hardware that needs the blob loaded.
Controversial Design Decisions
------------------------------
At least I *think* these are controversial design decisions...
### Ease of Use
Ease of Use is not my biggest concern. Not everything needs a GUI tool, I do not
think it is a problem for the user to be expected to know how to use a text
editor from a console to perform some configuration tasks.
I am certainly not opposed to configuration tools that are properly written but
for example, I do not have a problem with manual creation of the files in the
`/etc/systemd/network` directory being necessary in order for networking to
work.
Operating systems used to come with a printed manual. Was that really so bad?
### SELinux
YJL will not support SELinux. SELinux support is really the kind of thing that
@ -323,7 +356,15 @@ collecting the data in the first place even if they claim to anonymize it, and
when they do collect it, it should be opt-in with the user fully understanding
the potential implications of the data collection.
That article is just but one example.
That article is just but one example. Another example is FireFox defaulting to
DNS over HTTPS by default. See thr section labeled __DNS over HTTPS (DoH)__
in the file `SECURE_DNS.md` for details.
It is true that YJL could ship a version of FireFox patched to disable those
defaults (or even remove the features completely) but that is a lot of work and
also, the fact that the code is in FireFox and enabled by default to start with
makes me very suspicious of what *else* is in their code that is potentially
harmful to users. I just do not trust them.
YJL will package web browsers, but not FireFox (or Chromium as it seems to me to
be just as bad).