> Okay gang, got the FTP security patch from the Netfilter boys and applied
> it. Kernel is compiled and I'm about to tar and gzip it. I also took the
> opportunity to go weeding.
>
> The final result is as follows:
>
> 1. Kernel is no longer able to mount filesystem images on the loopback
> device.
This seems like a bad thing, but it is probably tolerable. Why not make the
loopback device a module? Note that a loopback device or a spare ramdisk
will be required to backup the initial ramdisk image if we migrate away from
the initrd-archive patch and use a plain-vanilla kernel...
> 2. There is no longer a PCI Device Database, so PCI devices are listed in
> /proc/pci by card ID.
Absolutely no problem here...
> 3. The Network Block Device was removed, as I couldn't really see a need
> for it on a secure system.
Does it save a lot of space being removed over being a module?
> 4. Modularized serial support.
OK, but this prevents headless boxes controled with a serial cable...
> Some of these are a little questionable in my own mind, to be honest, so
> I'd like some feedback from people on whether or not the tradeoff is
> acceptable. However, the final results are impressive. Here's the previous
> Standard and UPX-Compressed 2.4.3 kernels:
>
> -rw-r--r-- 1 wolfstar root 552k Apr 11 03:45 kernel.standard
> -rw-r--r-- 1 wolfstar root 481k Apr 11 03:46 kernel.upx
>
> Here's the current one:
>
> -rw-r--r-- 1 wolfstar root 474k Apr 20 02:38 kernel.standard
> -rw-r--r-- 1 wolfstar root 411k Apr 20 02:39 kernel.upx
>
> So we're looking at about 70-75k of space savings, and that's TRULY
> spectacular. I might go back in and try putting back the Serial support
> and see how that affects kernel size, but this is a LOT of space saving.
It'd be interesting to see how much each option affected size, but overall a
411K 2.4 kernel is VERY COOL, and should be quite usable for floppy
firewalls. While I'd like to see a 'one size fits all' kernel, perhaps
there could be a floppy only, minimal kernel, and a larger kernel with all
the 'goodies' like RAID, loopback, etc (compiled as modules, where possible)
for folks running from CD, HDD, Flash, or what have you.
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
