Beyond Linux® From Scratch (systemd Edition)

Version 12.1

The BLFS Development Team

Copyright © 1999-2024, The BLFS Development Team

All rights reserved.

This book is licensed under a Creative Commons License.

Computer instructions may be extracted from the book under the MIT License.

Linux® is a registered trademark of Linus Torvalds.

Published 2024-03-01

Revision History
Revision 12.1 2024-03-01 Twenty-ninth Release
Revision 12.0 2023-09-01 Twenty-eighth Release
Revision 11.3 2023-03-01 Twenty-seventh Release
Revision 11.2 2022-09-01 Twenty-sixth Release
Revision 11.1 2022-03-01 Twenty-fifth Release
Revision 11.0 2021-09-01 Twenty-fourth Release
Revision 10.1 2021-03-01 Twenty-third Release
Revision 10.0 2020-09-01 Twenty-second Release
Revision 9.1 2020-03-01 Twenty-first Release
Revision 9.0 2019-09-01 Twentieth release
Revision 8.4 2019-03-01 Nineteenth release
Revision 8.3 2018-09-01 Eighteenth release
Revision 8.2 2018-03-02 Seventeenth release
Revision 8.1 2017-09-01 Sixteenth release
Revision 8.0 2017-02-25 Fifteenth release
Revision 7.10 2016-09-07 Fourteenth release
Revision 7.9 2016-03-08 Thirteenth release
Revision 7.8 2015-10-01 Twelfth release
Revision 7.7 2015-03-06 Eleventh release
Revision 7.6 2014-09-23 Tenth release
Revision 7.5 2014-03-05 Ninth release
Revision 7.4 2013-09-14 Eighth release
Revision 6.3 2008-08-24 Seventh release
Revision 6.2 2007-02-14 Sixth release
Revision 6.1 2005-08-14 Fifth release
Revision 6.0 2005-04-02 Fourth release
Revision 5.1 2004-06-05 Third release
Revision 5.0 2003-11-06 Second release
Revision 1.0 2003-04-25 First release


This book follows on from the Linux From Scratch book. It introduces and guides the reader through additions to the system including networking, graphical interfaces, sound support, and printer and scanner support.


This book is dedicated to the LFS community

Table of Contents


Having helped out with Linux From Scratch for a short time, I noticed that we were getting many queries as to how to do things beyond the base LFS system. At the time, the only assistance specifically offered relating to LFS were the LFS hints ( Most of the LFS hints are extremely good and well written but I (and others) could still see a need for more comprehensive help to go Beyond LFS — hence BLFS.

BLFS aims to be more than the LFS-hints converted to XML although much of our work is based around the hints and indeed some authors write both hints and the relevant BLFS sections. We hope that we can provide you with enough information to not only manage to build your system up to what you want, whether it be a web server or a multimedia desktop system, but also that you will learn a lot about system configuration as you go.

Thanks as ever go to everyone in the LFS/BLFS community; especially those who have contributed instructions, written text, answered questions and generally shouted when things were wrong!

Finally, we encourage you to become involved in the community; ask questions on the mailing list or news gateway and join in the fun on #lfs and #lfs-support at Libera. You can find more details about all of these in the Introduction section of the book.

Enjoy using BLFS.

Mark Hymers
markh <at>
BLFS Editor (July 2001–March 2003)

I still remember how I found the BLFS project and started using the instructions that were completed at the time. I could not believe how wonderful it was to get an application up and running very quickly, with explanations as to why things were done a certain way. Unfortunately, for me, it wasn't long before I was opening applications that had nothing more than "To be done" on the page. I did what most would do, I waited for someone else to do it. It wasn't too long before I am looking through Bugzilla for something easy to do. As with any learning experience, the definition of what was easy kept changing.

We still encourage you to become involved as BLFS is never really finished. Contributing or just using, we hope you enjoy your BLFS experience.

Larry Lawrence
larry <at>
BLFS Editor (March 2003–June 2004)

The BLFS project is a natural progression of LFS. Together, these projects provide a unique resource for the Open Source Community. They take the mystery out of the process of building a complete, functional software system from the source code contributed by many talented individuals throughout the world. They truly allow users to implement the slogan Your distro, your rules.

Our goal is to continue to provide the best resource available that shows you how to integrate many significant Open Source applications. Since these applications are constantly updated and new applications are developed, this book will never be complete. Additionally, there is always room for improvement in explaining the nuances of how to install the different packages. To make these improvements, we need your feedback. I encourage you to participate on the different mailing lists, news groups, and IRC channels to help meet these goals.

Bruce Dubbs
bdubbs <at>
BLFS Editor (June 2004–December 2006 and February 2011–now)

My introduction to the [B]LFS project was actually by accident. I was trying to build a GNOME environment using some how-tos and other information I found on the web. A couple of times I ran into some build issues and Googling pulled up some old BLFS mailing list messages. Out for curiosity, I visited the Linux From Scratch web site and shortly thereafter was hooked. I've not used any other Linux distribution for personal use since.

I can't promise anyone will feel the sense of satisfaction I felt after building my first few systems using [B]LFS instructions, but I sincerely hope that your BLFS experience is as rewarding for you as it has been for me.

The BLFS project has grown significantly the last couple of years. There are more package instructions and related dependencies than ever before. The project requires your input for continued success. If you discover that you enjoy building BLFS, please consider helping out in any way you can. BLFS requires hundreds of hours of maintenance to keep it even semi-current. If you feel confident enough in your editing skills, please consider joining the BLFS team. Simply contributing to the mailing list discussions with sound advice and/or providing patches to the book's XML will probably result in you receiving an invitation to join the team.

Randy McMurchy
randy <at>
BLFS Editor (December 2006–January 2011)


This version of the book is intended to be used when building on top of a system built using the LFS book. Every effort has been made to ensure accuracy and reliability of the instructions. Many people find that using the instructions in this book after building the current stable or development version of LFS provides a stable and very modern Linux system.


Randy McMurchy
August 24th, 2008

Who Would Want to Read this Book

This book is mainly aimed at those who have built a system based on the LFS book. It will also be useful for those who are using other distributions, and for one reason or another want to manually build software and need some assistance. Note that the material in this book, in particular the dependency listings, assumes that you are using a basic LFS system with every package listed in the LFS book already installed and configured. BLFS can be used to create a range of diverse systems and so the target audience is probably as wide as that of the LFS book. If you found LFS useful, you should also like this!

Since Release 7.4, the BLFS book version has matched the LFS book version. This book may be incompatible with a previous or later release of the LFS book.


This book is divided into the following fourteen parts.

Part I - Introduction

This part contains essential information which is needed to understand the rest of the book.

Part II - Post LFS Configuration and Extra Software

Here we introduce basic configuration and security issues. We also discuss a range of text editors, file systems, and shells which aren't covered in the main LFS book.

Part III - General Libraries and Utilities

In this section we cover libraries which are often needed throughout the book, as well as system utilities. Information on programming (including recompiling GCC to support its full range of languages) concludes this part.

Part IV - Basic Networking

Here we explain how to connect to a network when you aren't using the simple static IP setup presented in the main LFS book. Networking libraries and command-line networking tools are also covered here.

Part V - Servers

Here we show you how to set up mail and other servers (such as FTP, Apache, etc.).

Part VI - X + Window Managers

This part explains how to set up a basic X Window System, along with some generic X libraries and Window managers.

Part VII - KDE

This part is for those who want to use the K Desktop Environment, or parts of it.


GNOME is the main alternative to KDE in the Desktop Environment arena.

Part IX - Xfce

Xfce is a lightweight alternative to GNOME and KDE.

Part X - LXDE

LXDE is another lightweight alternative to GNOME and KDE.

Part XI - More X Software

Office programs and graphical web browsers are important to most people. They, and some generic X software, can be found in this part of the book.

Part XII - Multimedia

Here we cover multimedia libraries and drivers, along with some audio, video, and CD-writing programs.

Part XIII - Printing, Scanning and Typesetting (PST)

This part covers document handling, from applications like Ghostscript, CUPS, and DocBook, all the way to texlive.


The Appendices present information which doesn't belong in the body of book; they are included as reference material. The glossary of acronyms is a handy feature.

Part I. Introduction

Chapter 1. Welcome to BLFS

The Beyond Linux From Scratch book is designed to carry on from where the LFS book leaves off. But unlike the LFS book, it isn't designed to be followed straight through. Reading the Which sections of the book? part of this chapter should help guide you through the book.

Please read most of this part of the book carefully as it explains quite a few of the conventions used throughout the book.

Which Sections of the Book Do I Want?

Unlike the Linux From Scratch book, BLFS isn't designed to be followed in a linear manner. LFS provides instructions on how to create a base system which can become anything from a web server to a multimedia desktop system. BLFS attempts to guide you in the process of going from the base system to your intended destination. Choice is very much involved.

Everyone who reads this book will want to read certain sections. The Introduction, which you are currently reading, contains generic information. Take special note of the information in Chapter 2, Important Information, as this contains comments about how to unpack software, issues related to the use of different locales, and various other considerations which apply throughout the book.

The part on Post LFS Configuration and Extra Software is where most people will want to turn next. This deals not only with configuration, but also with Security (Chapter 4, Security), File Systems (Chapter 5, File Systems and Disk Management -- including GRUB for UEFI), Text Editors (Chapter 6, Text Editors), and Shells (Chapter 7, Shells). Indeed, you may wish to reference some parts of this chapter (especially the sections on Text Editors and File Systems) while building your LFS system.

Following these basic items, most people will want to at least browse through the General Libraries and Utilities part of the book. This contains information on many items which are prerequisites for other sections of the book, as well as some items (such as Chapter 13, Programming) which are useful in their own right. You don't have to install all of the libraries and packages found in this part; each BLFS installation procedure tells you which other packages this one depends upon. You can choose the program you want to install, and see what it needs. (Don't forget to check for nested dependencies!)

Likewise, most people will probably want to look at the Networking section. It deals with connecting to the Internet or your LAN (Chapter 14, Connecting to a Network) using a variety of methods such as DHCP and PPP, and with items such as Networking Libraries (Chapter 17, Networking Libraries), plus various basic networking programs and utilities.

Once you have dealt with these basics, you may wish to configure more advanced network services. These are dealt with in the Servers part of the book. Those wanting to build servers should find a good starting point there. Note that this section also contains information on several database packages.

The next twelve chapters deal with desktop systems. This portion of the book starts with a part talking about Graphical Components. This part also deals with some generic X-based libraries (Chapter 25, Graphical Environment Libraries). After that, KDE, GNOME, Xfce, and LXQt are given their own parts, followed by one on X Software.

The book then moves on to deal with Multimedia packages. Note that many people may want to use the ALSA instructions from this chapter when first starting their BLFS journey; the instructions are placed here because it is the most logical place for them.

The final part of the main BLFS book deals with Printing, Scanning and Typesetting. This is useful for most people with desktop systems, but even those who are creating dedicated server systems may find it useful.

We hope you enjoy using BLFS. May you realize your dream of building the perfectly personalized Linux system!

Conventions Used in this Book

Typographical Conventions

To make things easy to follow, a number of conventions are used throughout the book. Here are some examples:

./configure --prefix=/usr

This form of text should be typed exactly as shown unless otherwise noted in the surrounding text. It is also used to identify references to specific commands.

install-info: unknown option

This form of text (fixed width font) shows screen output, probably the result of issuing a command. It is also used to show filenames such as /boot/grub/grub.conf


This form of text is used for several purposes, but mainly to emphasize important points, or to give examples of what to type.

This form of text is used for hypertext links external to the book, such as HowTos, download locations, websites, etc.


This form of text is used for links internal to the book, such as another section describing a different package.

cat > $LFS/etc/group << "EOF"

This style is mainly used when creating configuration files. The first command (in bold) tells the system to create the file $LFS/etc/group from whatever is typed on the following lines, until the sequence EOF is encountered. Therefore, this whole section is usually typed exactly as shown. Remember, copy and paste is your friend!


This form of text is used to encapsulate text that should be modified, and is not to be typed as shown, or copied and pasted. The angle brackets are not part of the literal text; they are part of the substitution.


This form of text is used to show a specific system user or group reference in the instructions.


Conventions Used for Package Dependencies

When new packages are created, the software's authors depend on prior work. In order to build a package in BLFS, these dependencies must be built before the desired package can be compiled. For each package, prerequisites are listed in one or more separate sections: Required, Recommended, and Optional.

Required Dependencies

These dependencies are the bare minimum needed to build the package. Packages in LFS, and the required dependencies of these required packages, are omitted from this list. Always remember to check for nested dependencies. If a dependency is said to be runtime, then it is not needed for building the package, but only to use it after installation.

Recommended Dependencies

These are dependencies the BLFS editors have determined are important to give the package reasonable capabilities. If a recommended dependency is not said to be runtime, package installation instructions assume it is installed. If it is not installed, the instructions may require modification, to accommodate the missing package. A recommended runtime dependency does not need to be installed before building the package, but must be built afterwards for running the package with reasonable capabilities.

Optional Dependencies

These are dependencies the package may use. Integration of optional dependencies may be automatic by the package, or additional steps not presented by BLFS may be necessary. Optional dependencies are sometimes listed without explicit BLFS instructions. In this case you must determine how to perform the installation yourself.


Conventions Used for Kernel Configuration Options

Some packages require specific kernel configuration options. The general layout for these looks like this:

Master section --->
  Subsection --->
    [*]     Required parameter                                        [REQU_PAR]
    <*>     Required parameter (not as module)                   [REQU_PAR_NMOD]
    <*/M>   Required parameter (could be a module)                [REQU_PAR_MOD]
    <M>     Required parameter (as a module)                 [REQU_PAR_MOD_ONLY]
    < /*/M> Optional parameter                                         [OPT_PAR]
    < /M>   Optional parameter (as a module if enabled)       [OPT_PAR_MOD_ONLY]
    [ ]     Incompatible parameter                                  [INCOMP_PAR]
    < >     Incompatible parameter (even as module)             [INCOMP_PAR_MOD]

[...] on the right gives the symbolic name of the option, so you can easily check whether it is set in your .config file. Note that the .config file contains a CONFIG_ prefix before all symbolic names. The meaning of the various entries is:

Master section top level menu item
Subsection submenu item
Required parameter the option can either be built-in, or not selected: it must be selected
Required parameter (not as module) the option can be built-in, a module, or not selected (tri-state): it must be selected as built-in
Required parameter (could be a module) the option can be built-in, a module, or not selected: it must be selected, either as built-in or as a module
Required parameter (as a module) the option can be built-in, a module, or not selected: it must be selected as a module; selecting it as built-in may cause unwanted effects
Optional parameter the option can be built-in, a module, or not selected: it may be selected as a module or built-in if you need it for driving the hardware or optional kernel features
Optional parameter (as a module if enabled) the option can be built-in, a module, or not selected: it may be selected as a module if you need it for driving the hardware or optional kernel features, but selecting it as built-in may cause unwanted effects
Incompatible parameter the option can either be built-in or not selected: it must not be selected
Incompatible parameter (even as module) the option can be built-in, a module, or not selected: it must not be selected

Note that, depending on other selections, the angle brackets (<>) in the configuration menu may appear as braces ({}) if the option cannot be unselected, or even as dashes (-*- or -M-), when the choice is imposed. The help text describing the option specifies the other selections on which this option relies, and how those other selections are set.

The letter in blue is the hotkey for this option. If you are running make menuconfig, you can press a key to quickly traverse all the options with this key as the hotkey on the screen.


SBU values in BLFS

As in LFS, each package in BLFS has a build time listed in Standard Build Units (SBUs). These times are relative to the time it took to build binutils in LFS, and are intended to provide some insight into how long it will take to build a package. Most times listed are for a single processor or core to build the package. In some cases, large, long running builds tested on multi-core systems have SBU times listed with comments such as '(parallelism=4)'. These values indicate testing was done using multiple cores. Note that while this speeds up the build on systems with the appropriate hardware, the speedup is not linear and to some extent depends on the individual package and the specific hardware used.

For packages which use ninja (i.e., anything using meson) or rust, by default all cores are used; similar comments will be seen on such packages even when the build time is minimal.

Where even a parallel build takes more than 15 SBU, on certain machines the time may be considerably greater even when the build does not use swap. In particular, different micro-architectures will build some files at different relative speeds, and this can introduce delays when certain make targets wait for another file to be created. Where a large build uses a lot of C++ files, processors with Simultaneous Multi Threading will share the Floating Point Unit and can take 45% longer than when using four 'prime' cores (measured on an intel i7 using taskset and keeping the other cores idle).

Some packages do not support parallel builds; for these, the make command must specify -j1. Packages that are known to impose such limits are so marked in the text.

Book Version

This is BLFS-BOOK version 12.1 dated March 1st, 2024. This is the 12.1-systemd branch of the BLFS book, currently targeting the LFS 12.1-systemd book. For development versions, if this version is older than a month, it's likely that your mirror hasn't been synchronized recently and a newer version is probably available for download or viewing. Check one of the mirror sites at for an updated version.

Mirror Sites

The BLFS project has a number of mirrors set up world-wide to make it easier and more convenient for you to access the website. Please visit the website for the list of current mirrors.

Getting the Source Packages

Within the BLFS instructions, each package has two references for finding the source files for the package—an HTTP link and an FTP link (some packages may only list one of these links). Every effort has been made to ensure that these links are accurate. However, the World Wide Web is in continuous flux. Packages are sometimes moved or updated and the exact URL specified is not always available.

To overcome this problem, the BLFS Team, with the assistance of Oregon State University Open Source Lab, has made an HTTP/FTP site available through world wide mirrors. See for a list. These sites have all the sources of the exact versions of the packages used in BLFS. If you can't find the BLFS package you need at the listed addresses, get it from these sites.

We would like to ask a favor, however. Although this is a public resource for you to use, please do not abuse it. We have already had one unthinking individual download over 3 GB of data, including multiple copies of the same files that are placed at different locations (via symlinks) to make finding the right package easier. This person clearly did not know what files he needed and downloaded everything. The best place to download files is the site or sites set up by the source code developer. Please try there first.

Change Log

Current release: 12.1 – March 1st, 2024

Changelog Entries:

  • March 1st, 2024

    • [bdubbs] - Release of BLFS-12.1.

  • February 26th, 2024

    • [bdubbs] - Update to gparted-1.6.0. Fixes #19371.

    • [renodr] - Update to libvdpau-va-gl-0.4.2. Fixes #19367.

    • [renodr] - Fix building Gwenview with the latest versions of kImageAnnotator and kColorPicker. Fixes #19329.

  • February 25th, 2024

    • [bdubbs] - Update to lightdm-gtk-greeter-2.0.9. Fixes #19366.

    • [bdubbs] - Update to pidgin-2.14.13. Fixes #19359.

  • February 22nd, 2024

    • [bdubbs] - Update to git-2.44.0. Fixes #19355.

  • February 22nd, 2024

    • [bdubbs] - Update to qemu-8.2.1. Fixes #19349.

    • [bdubbs] - Update to lxqt-archiver-0.9.1. Fixes #19346.

    • [bdubbs] - Update to gptfdisk-1.0.10. Fixes #19343.

  • February 21st, 2024

    • [xry111] - Update to efivar-39. Fixes #19348.

    • [bdubbs] - Update to thunderbird-115.8.0 (Security Update). Fixes #19342.

  • February 20th, 2024

    • [renodr] - Update to gedit-46.2. Fixes #19330.

    • [renodr] - Update to gnome-tweaks-45.1. Fixes #19339.

    • [renodr] - Update to samba-4.19.5. Fixes #19337.

    • [ken] - Update to firefox-115.8.0 (Security Update). Fixes #19332.

  • February 18th, 2024

    • [bdubbs] - Update to xterm-390. Fixes #19336.

  • February 18th, 2024

    • [bdubbs] - Update to btrfs-progs-v6.7.1. Fixes #19309.

    • [bdubbs] - Update to ed-1.20.1. Fixes #19325.

    • [bdubbs] - Update to php-8.3.3. Fixes #19322.

    • [renodr] - Update to wireshark-4.2.3. Fixes #19315.

    • [renodr] - Update to qt-6.6.2 (Security Update). Fixes #19316.

    • [bdubbs] - Update to kf5-apps-23.08.5. Fixes #19317.

    • [bdubbs] - Update to kf5-5.15.0. Fixes #19127.

  • February 17th, 2024

    • [rahul] - Update to nodejs-20.11.1. Fixes #19311.

    • [bdubbs] - Update to sysmon-qt-1.1. Fixes #19308.

    • [renodr] - Patch Qt5 against CVE-2024-25580. Fixes #19320.

  • February 16th, 2024

    • [bdubbs] - Update to Net-DNS-1.44 (Perl module). Fixes #18521.

    • [bdubbs] - Update to x265-20240216. Addresses #18520.

    • [bdubbs] - Update to x264-20240216. Addresses #18520.

    • [renodr] - Update to NSS-3.98 (Security Update). Fixes #19323.

    • [renodr] - Patch Valgrind to work correctly with glibc-2.39 and binutils-2.42. Fixes #19324.

    • [bdubbs] - Update to libnvme-1.8. Fixes #19310.

  • February 15th, 2024

    • [ken] - Update to ImageMagick-7.1.1-28 (Security Update). Addresses #16962.

    • [bdubbs] - Update to shadow-4.14.5. Fixes #19289.

  • February 14th, 2024

    • [rahul] - Update to git-2.43.2. Fixes #19314.

    • [rahul] - Update to power-profiles-daemon-0.20. Fixes #19313.

    • [rahul] - Update to webp-pixbuf-loader-0.2.7. Fixes #19312.

    • [rahul] - Update to mesa-24.0.1. Fixes #19220.

  • February 13th, 2024

    • [renodr] - Update to mercurial-6.6.3. Fixes #19299.

    • [renodr] - Update the gstreamer stack to 1.22.10. Fixes #19305.

    • [renodr] - Update to gnome-control-center-45.3. Fixes #19301.

    • [renodr] - Update to gcr-4.2.0. Fixes #19300.

    • [renodr] - Update to exiv2-0.28.2 (Security Update). Fixes #19307.

    • [renodr] - Fix CVE-2023-52160 in wpa_supplicant. Fixes #19304.

    • [renodr] - Update to mutter-45.4. Fixes #19296.

    • [renodr] - Update to gnome-shell-45.4. Fixes #19295.

    • [renodr] - Update to pango-1.51.2. Fixes #19294.

    • [renodr] - Update to gnome-maps-45.4. Fixes #19287.

    • [renodr] - Update to libshumate-1.1.3. Fixes #19286.

    • [renodr] - Update to gjs-1.78.4. Fixes #19285.

    • [renodr] - Update to evolution-3.50.4. Fixes #19278.

    • [renodr] - Update to evolution-data-server-3.50.4. Fixes #19278.

    • [renodr] - Update to libadwaita-1.4.3. Fixes #19276.

    • [renodr] - Fix building vala with graphviz-10.x.

    • [rahul] - Update to Unbound-1.19.1 (Security Update). Fixes #19303.

    • [renodr] - Update to graphviz-10.0.1. Fixes #19283.

    • [rahul] - Update to BIND-9.18.24 (Security Update). Fixes #19302.

    • [renodr] - Update to rustc-1.76.0. Fixes #19268.

    • [bdubbs] - Update to gnumeric-1.12.57. Fixes #19297.

    • [bdubbs] - Update to goffice-0.10.57. Fixes #19293.

    • [bdubbs] - Update to gegl-0.4.48. Fixes #19290.

    • [bdubbs] - Update to babl-0.1.108. Fixes #19273.

    • [renodr] - Update to libuv-1.48.0 (Security Update). Fixes #19263.

  • February 12th, 2024

    • [bdubbs] - Update to xdg-utils-v1.2.1 (Security Update). Fixes #19288.

    • [bdubbs] - Update to pcmanfm-qt-1.4.1. Fixes #19279.

    • [bdubbs] - Update to obconf-qt-0.16.4. Fixes #19271.

    • [bdubbs] - Update to hexchat-2.16.2. Fixes #19282.

    • [bdubbs] - Update to pycairo3-1.26.0 (Python Module). Fixes #19292.

    • [bdubbs] - Update to URI-5.27 (Perl Module). Fixes #19274.

    • [bdubbs] - Update to Business-ISMN-1.204 (Perl Module). Fixes #19291.

    • [bdubbs] - Update to Business-ISBN-3.009 (Perl module). Fixes #19284.

    • [bdubbs] - Update to shadow-4.14.4. Fixes #19289.

    • [bdubbs] - Update to Python-3.12.2 (Security Update). Fixes #19258.

    • [thomas] - Update to xfce4-notifyd-0.9.4. Fixes #19280.

  • February 10th, 2024

    • [xry111] - Fix a bug in systemd breaking running systemd-analyze on an instantiated systemd unit.

  • February 9th, 2024

    • [rahul] - Update to PostgreSQL-16.2 (Security Update). Fixes #19269.

    • [rahul] - Update to mariadb-10.11.7. Fixes #19272.

    • [rahul] - Update to libsecret-0.21.3. Fixes #19281.

    • [rahul] - Update to libhandy-1.8.3. Fixes #19275.

    • [rahul] - Update to git-2.43.1. Fixes #19275.

    • [rahul] - Update to libavif-1.0.4. Fixes #19267.

    • [rahul] - Update to enchant-2.6.7. Fixes #19266.

    • [rahul] - Add power-profiles-daemon. Fixes #19086.

  • February 8th, 2024

    • [bdubbs] - Update to lxqt-menu-data-1.4.1. Fixes #19265.

    • [bdubbs] - Update to libwacom-2.10.0. Fixes #19264.

    • [bdubbs] - Update to mupdf-1.23.10. Fixes #19259.

  • February 7th, 2024

    • [bdubbs] - Update to numpy-1.26.4 (Python Module). Fixes #19255.

    • [bdubbs] - Update to meson_python-0.15.0 (Python Module). Fixes #19261.

    • [bdubbs] - Update to pyproject-metadata-0.7.1 (Python Module). Fixes #19262.

    • [bdubbs] - Update to pytz-2024.1 (Python Module). Fixes #19260.

    • [bdubbs] - Update to libei-1.2.1. Fixes #19256.

    • [bdubbs] - Update to LWP-Protocol-https-6.13 (Perl module). Fixes #19254.

    • [bdubbs] - Update to xfsprogs-6.6.0. Fixes #19252.

    • [renodr] - Fix building WebKitGTK on 32-bit systems.

  • February 6th, 2024

    • [renodr] - Update to gnome-bluetooth-42.8. Fixes #19257.

    • [renodr] - Update to jasper-4.2.0. Fixes #19253.

    • [renodr] - Update to stunnel-5.72. Fixes #19251.

    • [thomas] - Upgrade to libxfce4ui-4.18.5. Fixes #19249.

    • [thomas] - Upgrade to libxfce4util-4.18.2. Fixes #19250.

    • [thomas] - Upgrade to garcon-4.18.2. Fixes #19248.

    • [thomas] - Upgrade to ristretto-0.13.2. Fixes #19244.

    • [thomas] - Upgrade to xfce4-terminal-1.1.2. Fixes #19247.

  • February 5th, 2024

    • [renodr] - Update to blfs-systemd-units-20240205. This version fixes a warning that occurs when starting slapd with the default configuration.

    • [bdubbs] - Update to mousepad-0.6.2. Fixes #19243.

    • [bdubbs] - Update to libgsf-1.14.52. Fixes #19237.

    • [bdubbs] - Update to imlib2-1.12.2. Fixes #19230.

    • [renodr] - Update to WebKitGTK-2.42.5 (Security Update). Fixes #19242.

    • [renodr] - Change TigerVNC to use LXQt instead of LXDE for the default configuration. Fixes #19245.

    • [rahul] - Update to openldap-2.6.7 (Security Update). Fixes #19211.

    • [rahul] - Update to neon-0.33.0. Fixes #19210.

    • [rahul] - Update to cmake-3.28.3. Fixes #19209.

    • [rahul] - Update to talloc-2.4.2. Fixes #19208.

    • [renodr] - Change libxml2 to use ICU, and fix a build failure in QtWebEngine that occurs with libxml2-2.12.x configured like this. Fixes #19246.

    • [bdubbs] - Update to xkeyboard-config-2.41. Fixes #19241.

    • [bdubbs] - Update to xorg-libs libXvMC-1.0.14, libxkbfile-1.1.3, libXext-1.3.6, and libpciaccess-0.18. Fixes #19232, #19233, #19234, and #19235.

    • [bdubbs] - Update to xorg-apps xkbcomp-1.4.7, xkbutils-1.0.6, and xprop-1.2.7. Fixes #19229.

    • [renodr] - Update to libxml2-2.12.5 (Security Update). Fixes #19238.

    • [renodr] - Update to gc-8.2.6. Fixes #19240.

    • [renodr] - Update to glad-2.0.5. Fixes #19239.

    • [renodr] - Update to enchant-2.6.6. Fixes #19236.

  • February 4th, 2024

    • [pierre] - Update to LSB-Tools-0.12. Fixes #19231.

  • February 3rd, 2024

    • [bdubbs] - Update to SDL2-2.30.0. Fixes #19161.

    • [bdubbs] - Update to libusb-1.0.27. Fixes #18999.

    • [bdubbs] - Update to cachecontrol-0.14.0 (Python module). Fixes #19228.

    • [bdubbs] - Update to URI-5.26 (Perl Module). Fixes #19227.

    • [xry111] - Update the systemd-units tarball to 20240128. This release contains a fix for sshd@.service.

  • February 2nd, 2024

    • [renodr] - Promote libpsl to recommended in wget and NetworkManager to protect against the "global cookie" issue.

    • [renodr] - Update to libreoffice- Fixes #19221.

    • [renodr] - Fix crashes in tracker-miners that occur due to gstreamer-1.22.9.

    • [bdubbs] - Update to poppler-24.02.0. Fixes #19225.

    • [bdubbs] - Update to icu4c-74_2. Fixes #19226.

    • [renodr] - Update Vulkan-Headers and Vulkan-Loader to 1.3.277. Fixes #19226.

    • [renodr] - Update to sendmail-8.18.1 (Security Update). Fixes #19219.

    • [renodr] - Update to fetchmail-6.4.38. Fixes #19218.

  • February 1st, 2024

    • [bdubbs] - Update to pipewire-1.0.3. Fixes #19222.

    • [bdubbs] - Update to curl-8.6.0 (Security Update). Fixes #19217.

  • January 31st, 2024

    • [bdubbs] - Update to libpng-1.6.42. Fixes #19213.

    • [bdubbs] - Update to sqlite-autoconf-3450100 (3.45.1). Fixes #19215.

    • [bdubbs] - Update to Mako-1.3.2 (Python module). Fixes #19214.

    • [bdubbs] - Update to alsa-lib-1.2.11 alsa-utils-1.2.11 alsa-tools-1.2.11. Fixes #19212.

  • January 29th, 2024

    • [bdubbs] - Update to pytest-8.0.0 (Python module). Fixes #19202.

    • [bdubbs] - Update to pluggy-1.4.0 (Python module). Fixes #19207.

    • [bdubbs] - Update to URI-5.25 (Perl Module). Fixes #19201.

    • [bdubbs] - Update to mc-4.8.31. Fixes #19200.

    • [bdubbs] - Update to pixman-0.43.2. Fixes #19092.

    • [renodr] - Update to libwpe-1.14.2. Fixes #19205.

    • [renodr] - Update to pangomm-2.46.4. Fixes #19204.

    • [renodr] - Update to atkmm-2.28.4. Fixes #19203.

    • [renodr] - Fix building Gwenview with kImageAnnotator-0.7.0. Fixes #19206.

  • January 27th, 2024

    • [rahul] - Update to gtk+-3.24.41. Fixes #19178.

    • [rahul] - Update to nss-3.97. Fixes #19166.

  • January 26th, 2024

    • [bdubbs] - Archive pth. Fixes #19198.

    • [bdubbs] - Update to libpng-1.6.41. Fixes #19189.

    • [bdubbs] - Update to btrfs-progs-v6.7. Fixes #18864.

    • [renodr] - Remove a workaround for Pango in Snapshot that is no longer required.

    • [renodr] - Update to pango-1.51.0. Fixes #19199.

    • [renodr] - Update to libidn2-2.3.7. Fixes #19197.

    • [renodr] - Update to c-ares-1.26.0. Fixes #19196.

    • [renodr] - Update to Net-DNS-1.43 (Perl Module). Fixes #19195.

    • [bdubbs] - Update to taglib-2.0. Fixes #19056.

    • [bdubbs] - Add utfcpp-4.0.5 in support of taglib.

  • January 26th, 2024

    • [bdubbs] - Update to URI-5.24 (Perl Module). Fixes #19191.

    • [bdubbs] - Update to libwww-perl-6.76 (Perl Module). Fixes #19192.

    • [renodr] - Update TigerVNC to use xorg-server-21.1.11 to fix all of the CVEs fixed since xorg-server-21.1.6 was released.

    • [renodr] - Update to colord-gtk-0.3.1. Fixes #19194.

    • [renodr] - Update Vulkan-Headers and Vulkan-Loader to 1.3.276. Fixes #19193.

    • [renodr] - Update to GnuPG-2.4.4 (Security Update). Fixes #19188.

    • [renodr] - Revert Mako to version 1.3.0. Mako 1.3.1 has been yanked upstream due to incompatible changes. Fixes #19190.

  • January 25th, 2024

    • [renodr] - Update to glm-1.0.0. Fixes #19185.

    • [renodr] - Update the gstreamer stack to 1.22.9 (Security Update). Fixes #19184.

    • [renodr] - Update to mesa-23.3.4. Fixes #19183.

    • [bdubbs] - Update to inih-r58. Fixes #19181.

    • [bdubbs] - Update to cryptsetup-2.7.0. Fixes #19180.

    • [bdubbs] - Update to webp-pixbuf-loader-0.2.6. Fixes #19182.

  • January 24th, 2024

    • [bdubbs] - Update to colord-1.4.7. Fixes #19169.

    • [bdubbs] - Update to libpaper-2.1.3. Fixes #19168.

    • [bdubbs] - Update to libplacebo-6.338.2. Fixes #19175.

    • [renodr] - Update to thunderbird-115.7.0 (Security Update). Fixes #19179.

    • [renodr] - Update to dos2unix-7.5.2. Fixes #19177.

    • [renodr] - Update to Mako-1.3.1 (Python Module). Fixes #19172.

    • [renodr] - Update to libwww-perl-6.75 (Perl Module). Fixes #19173.

    • [renodr] - Update to LWP-Protocol-https-6.11 (Perl Module). Fixes #19171.

    • [renodr] - Update to IO-Socket-SSL-2.085 (Perl Module). Fixes #19170.

    • [renodr] - Update to SpiderMonkey-115.7.0. Fixes #19167.

    • [rahul] - Update to webp-pixbuf-loader-0.2.5. Fixes #19176.

  • January 23rd, 2024

    • [ken] - Update to firefox-115.7.0 (Security Update). Fixes #19174.

      [renodr] - Update to glib-2.78.4. Fixes #19165.

    • [renodr] - Update to nghttp2-1.59.0. Fixes #19163.

    • [renodr] - Update to ed-1.20. Fixes #19162.

    • [renodr] - Update to IPC::Run3-0.049 (Perl Module). Fixes #19160.

    • [renodr] - Update to keyutils-1.6.3. Fixes #19159.

    • [renodr] - Update to shadow-4.14.3. Fixes #19136.

    • [renodr] - Update to postfix-3.8.5. Fixes #19164.

    • [xry111] - Update to vim-9.1.0041. Addresses #12241.

  • January 20th, 2024

    • [renodr] - Update to OpenJDK-21.0.2 (Security Update). Fixes #19141.

    • [bdubbs] - Update to patchelf-0.18.0. Fixes #19157.

    • [bdubbs] - Archive alsa-oss. Fixes #19158.

    • [bdubbs] - Update to libaom-3.8.1. Fixes #19156.

    • [bdubbs] - Update to wayland-protocols-1.33. Fixes #19154.

    • [bdubbs] - Update to libblockdev-3.1.0. Fixes #19155.

  • January 19th, 2024

    • [renodr] - Update to gjs-1.78.3. Fixes #19153.

    • [renodr] - Update to gtk-4.12.5. Fixes #19151.

    • [renodr] - Update to gtk+-3.24.40. Fixes #19150.

    • [bdubbs] - Update to php-8.3.2. Fixes #19149.

    • [bdubbs] - Update to libvpx-1.14.0. Fixes #19152.

    • [bdubbs] - Update to emacs-29.2. Fixes #19148.

  • January 18th, 2024

    • [renodr] - Update to SPIRV-Tools- Fixes #19145.

    • [renodr] - Update to SPIRV-Headers- Fixes #19144.

    • [renodr] - Update to Linux-PAM-1.6.0 (Security Update). Fixes #19142.

    • [bdubbs] - Update to polkit-124. Fixes #19143.

  • January 17th, 2024

    • [renodr] - Update to xwayland-23.2.4 (Security Update). Fixes #19134.

    • [renodr] - Update to xorg-server-21.1.11 (Security Update). Fixes #19133.

    • [renodr] - Update to gnutls-3.8.3 (Security Update). Fixes #19135.

    • [renodr] - Update to gcr-3.41.2. Fixes #19130.

    • [renodr] - Update to dvisvgm-3.2. Fixes #19119.

    • [renodr] - Update to mercurial-6.6.2. Fixes #19117.

  • January 16th, 2024

    • [bdubbs] - Update to kColorPicker-0.3.0. Fixes #19139.

    • [bdubbs] - Update to kImageAnnotator-0.7.0. Fixes #19140.

    • [bdubbs] - Update to libxml2-2.12.4. Fixes #19137.

    • [bdubbs] - Update to libinput-1.25.0 (xorg driver). Fixes #19132.

    • [bdubbs] - Update to sqlite-autoconf-3450000 (3.45.0). Fixes #19131.

  • January 14th, 2024

    • [bdubbs] - Archive libtheora. Fixes #18984.

    • [bdubbs] - Update to cpio-2.15. Fixes #19129.

    • [bdubbs] - Update to iso-codes-4.16.0. Fixes #19128.

    • [bdubbs] - Update to libpsl-0.21.5. Fixes #19126.

  • January 14th, 2024

    • [bdubbs] - Update to ncftp-3.2.7. Fixes #19125.

    • [bdubbs] - Update to libwww-perl-6.73. Fixes #19124.

    • [bdubbs] - Update to libidn-1.42. Fixes #19123.

    • [rahul] - Update to libdrm-2.4.120. Fixes #19122.

    • [rahul] - Update to bluez-5.72. Fixes #19121.

    • [rahul] - Update to pulseaudio-17.0. Fixes #19120.

    • [rahul] - Update to mupdf-1.23.9. Fixes #19109.

    • [rahul] - Update to samba-4.19.4. Fixes #19108.

    • [rahul] - Update to qpdf-11.8.0. Fixes #19107.

    • [rahul] - Update to enchant-2.6.5. Fixes #19106.

  • January 13th, 2024

    • [pierre] - Add xdg-desktop-portal-1.18.2, xdg-desktop-portal-gtk-1.15.1, xdg-desktop-portal-gnome-45.1, and xdg-desktop-portal-lxqt-0.5.0. Tweak instructions so that xdg-desktop-portal-kde is usable. Fixes #19087.

  • January 12th, 2024

    • [renodr] - Update to node.js-v20.11.0. Fixes #19113.

    • [renodr] - Update to mesa-23.3.3. Fixes #19114.

    • [renodr] - Update to pipewire-1.0.1. Fixes #19118.

    • [renodr] - Update to mpg123-1.32.4. Fixes #19115.

    • [renodr] - Update to jasper-4.1.2 (Security Update). Fixes #19116.

  • January 10th, 2024

    • [renodr] - Update to thunderbird-115.6.1. Fixes #19112.

    • [bdubbs] - Update to qca-2.3.8. Fixes #19110.

    • [bdubbs] - Update to kdsoap-2.2.0. Fixes #19111.

  • January 9th, 2024

    • [renodr] - Update to mutter-45.3. Fixes #19105.

    • [renodr] - Update to gnome-shell-45.3. Fixes #19104.

    • [renodr] - Update to gjs-1.78.2. Fixes #19103.

    • [renodr] - Update to gnome-maps-45.3. Fixes #19102.

    • [renodr] - Update to eog-45.2. Fixes #19101.

    • [renodr] - Update to pyatspi-2.46.1. Fixes #19100.

    • [renodr] - Update to epiphany-45.2. Fixes #19099.

    • [renodr] - Update to gvfs-1.52.2. Fixes #19098.

    • [renodr] - Update to evolution-3.50.3. Fixes #19097.

    • [renodr] - Update to evolution-data-server-3.50.3. Fixes #19097.

    • [renodr] - Update to at-spi2-core-2.50.1. Fixes #19096.

    • [renodr] - Update to Vulkan-Headers and Vulkan-Loader 1.3.275. Fixes #19095.

  • January 7th, 2024

    • [pierre] - Update to qt5-5.15.12 (including qt5-alternate and qt5-components). Fixes #19094.

  • January 5th, 2024

    • [bdubbs] - Update to fmt-10.2.1. Fixes #19093.

    • [bdubbs] - Update to c-ares-1.25.0. Fixes #19090.

    • [bdubbs] - Update to wireshark-4.2.2. Fixes #19091.

  • January 4th, 2024

    • [bdubbs] - Update to wireshark-4.2.1. Fixes #19085.

  • January 3rd, 2024

    • [rahul] - Update to intel-gmmlib-22.3.16 and intel-media-23.4.3. Fixes #18934.

    • [rahul] - Update to ffmpeg-6.1.1. Fixes #19074.

    • [rahul] - Update to icewm-3.4.5. Fixes #19069.

    • [renodr] - Move QtWebEngine to use the Python 3.11 version installed in /opt. Fixes #19016.

    • [bdubbs] - Update to numpy-1.26.3 (Python Module). Fixes #19083.

    • [bdubbs] - Update to poppler-24.01.0. Fixes #19082.

    • [bdubbs] - Update to libxmlb-0.3.15. Fixes #19081.

  • January 2nd, 2024

    • [renodr] - Update to xterm-389. Fixes #19078.

    • [renodr] - Update to fmt-10.2.0. Fixes #19077.

  • January 1st, 2024

    • [renodr] - Update to python-dbusmock-0.30.2 (Python Module). Fixes #19076.

    • [renodr] - Update to pytest-7.4.4 (Python Module). Fixes #19075.

    • [xry111] - Update to rustc-1.75.0. Fixes #19063.

  • December 31st, 2023

    • [renodr] - Update to swig-4.2.0. Fixes #19072.

    • [renodr] - Update to sudo-1.9.15p5. Fixes #19071.

    • [renodr] - Update to thunar-4.18.10. Fixes #19073.

    • [xry111] - Update to vim-9.0.2189. Addresses #12241.

    • [xry111] - Fix CVE-2023-7008 for systemd-255. Addresses LFS #5405.

  • December 30th, 2023

    • [renodr] - Update to xarchiver- Fixes #19070.

  • December 29th, 2023

    • [renodr] - Update to postfix-3.8.4 (Security Update). Fixes #19049.

    • [renodr] - Update to thunar-4.18.9. Fixes #19066.

    • [renodr] - Update to exim-4.97.1 (Security Update). Fixes #19065.

    • [renodr] - Update to subversion-1.14.3. Fixes #19064.

  • December 28th, 2023

    • [rahul] - Update to libdrm-2.4.119. Fixes #19045.

    • [rahul] - Update to fdk-aac-2.0.3. Fixes #19044.

    • [rahul] - Update to iw-6.7. Fixes #19043.

    • [rahul] - Update to php-8.3.1. Fixes #19042.

    • [rahul] - Update to libsass-3.6.6. Fixes #19041.

    • [renodr] - Update to snapshot-45.2. Fixes #19061.

    • [renodr] - Update to mesa-23.3.2. Fixes #19060.

    • [renodr] - Update to opencv-4.9.0. Fixes #19059.

    • [renodr] - Remove './mach configure' from the Mozilla packages since './mach build' does this step for us automatically now. Fixes #19028.

  • December 27th, 2023

    • [renodr] - Update to gnome-settings-daemon-45.1. Fixes #19051.

    • [renodr] - Update to vulkan-loader-1.3.274. Fixes #19029.

    • [renodr] - Update to vulkan-headers-1.3.274. Part of #19029.

    • [renodr] - Update the gstreamer stack to 1.22.8 (Security Update). Fixes #19027.

    • [renodr] - Update to Spidermonkey-115.6.0 (Security Update). Fixes #19024.

    • [bdubbs] - Update to paps-0.8.0. Fixes #19046.

    • [bdubbs] - Add fmt-10.1.1. Needed for paps-0.8.0.

    • [bdubbs] - Update to doxygen-1.10.0. Fixes #19058.

    • [bdubbs] - Update to ruby-3.3.0. Fixes #19057.

    • [bdubbs] - Update to Net-DNS-1.42 (Perl module). Fixes #19055.

    • [bdubbs] - Update to exempi-2.6.5. Fixes #19054.

  • December 26th, 2023

    • [renodr] - Update to Thunderbird-115.6.0 (Security Update). Fixes #19003.

    • [renodr] - Add a security patch to libssh2 to guard it against the Terrapin attack. Fixes #19023.

    • [renodr] - Update to openssh-9.6p1 (Security Update). Fixes #19023.

    • [renodr] - Remove Python 3.12 fixes from Seamonkey and adapt to the new Python 3.11 installation method. Addresses #19016.

    • [rahul,bdubbs] - Remove python-3.12 fixes from firefox. Addresses #19016.

    • [rahul,bdubbs] - Add Python-3.11.1 to allow building Mozilla packages and qtwebengine without fixes for python 3.12. Addresses #19016.

  • December 24th, 2023

    • [bdubbs] - Update to sysstat-12.7.5. Fixes #19048.

    • [bdubbs] - Update to fontconfig-2.15.0. Fixes #19047.

    • [bdubbs] - Update to glslang-14.0.0. Fixes #19050.

    • [bdubbs] - Update to python-dbusmock-0.30.1. Fixes #19053.

    • [bdubbs] - Update to bind-9.18.21. Fixes #19037.

    • [bdubbs] - Update to gtk+-3.24.39. Fixes #19036.

  • December 23rd, 2023

    • [ken] - Fix lingering 'hash:' items in postfix. Fixes #19052.

    • [rahul] - Update ProFTPD-1.3.8b (Security Update). Fixes #19038.

    • [timtas] - Remove outdated patch for dhcpcd-10.0.6.

    • [xry111] - Update to GRUB-2.12 for EFI. Fixes #19039.

    • [xry111] - Update to systemd-255. Fixes #18978.

  • December 22nd, 2023

    • [bdubbs] - Update to lxml-4.9.4 (Python module). Fixes #19035.

    • [rahul] - Update to dhcpcd-10.0.6. Fixes #19025.

  • December 20th, 2023

    • [bdubbs] - Update to qemu-8.2.0. Fixes #19031.

    • [bdubbs] - Update to LibRaw-0.21.2. Fixes #19034.

    • [bdubbs] - Update to libnvme-1.7.1. Fixes #19033.

    • [bdubbs] - Update to aspell- Fixes #19032.

    • [bdubbs] - Update to nss-3.96.1. Fixes #19030.

    • [renodr] - Update to Seamonkey-2.53.18 (Security Update). Fixes #18992.

  • December 19th, 2023

    • [ken] - Update to firefox-115.6.0 (Security Update). Fixes #19026.

  • December 17th, 2023

    • [bdubbs] - Update to c-ares-1.24.0. Fixes #19022.

    • [rahul] - Update to snapshot-45.1. Fixes #18998.

    • [rahul] - Update to qpdf-11.6.4. Fixes #19000.

    • [bdubbs] - Update to libatomic_ops-7.8.2. Fixes #19020.

    • [bdubbs] - Update to AppStream-1.0.1. Fixes #19019.

  • December 16th, 2023

    • [rahul] - Update to cmake-3.28.1. Fixes #19013.

    • [rahul] - Update to v4l-utils-1.26.1. Fixes #19007.

    • [rahul] - Update to enchant-2.6.4. Fixes #19002.

    • [bdubbs] - Update to nss-3.96. Fixes #19017.

    • [bdubbs] - Update to librsvg-2.57.1. Fixes #19018.

    • [bdubbs] - Update to mesa-23.3.1. Fixes #18548.

    • [bdubbs] - Update to Python-3.12.1. Fixes #18987.

    • [bdubbs] - Update to boost-1.84.0. Fixes #19011.

    • [bdubbs] - Update to traceroute-2.1.5. Fixes #19010.

    • [bdubbs] - Update to bluez-5.71. Fixes #19009.

    • [bdubbs] - Update to sudo-1.9.15p4. Fixes #19008.

  • December 15th, 2023

    • [bdubbs] - Update to plasma5-5.27.10. Fixes #18545.

    • [bdubbs] - Update to kde gear-23.08.4 including kate, kwave and falkon. Fixes #18527.

    • [bdubbs] - Update to kf5-5.113.0. Fixes #18527.

    • [bdubbs] - Update to plasma-wayland-protocols-1.12.0. Fixes #18989.

    • [renodr] - Update to webkitgtk-2.42.4 (Security Update). Fixes #19015.

    • [renodr] - Update to vte-0.74.2. Fixes #19014.

    • [renodr] - Fix an issue in dhcpcd that occurs when using the '-b' switch. Fixes #19001.

    • [renodr] - Update Vulkan-Headers and Vulkan-Loader to 1.3.273. Fixes #18995.

    • [renodr] - Update to libxml2-2.12.3. Fixes #18994.

    • [renodr] - Update to transmission-4.0.5. Fixes #18993.

  • December 13th, 2023

    • [bdubbs] - Update to xwayland-23.2.3. Fixes #19006.

    • [bdubbs] - Update to xorg-server-21.1.10. Fixes #19005.

  • December 11th, 2023

    • [rahul] - Update to libsecret-0.21.2. Fixes #18997.

    • [rahul] - Update to fltk-1.3.9. Fixes #18996.

  • December 8th, 2023

    • [renodr] - Update to libreoffice- (Security Update). Fixes #18991.

    • [rahul] - Update to cmake-3.28.0. Fixes #18979.

    • [rahul] - Update to libaom-3.8.0. Fixes #18981.

    • [renodr] - Update to gnome-control-center-45.2. Fixes #18990.

    • [renodr] - Update to rustc-1.74.1. Fixes #18994.

    • [renodr] - Update to mercurial-6.6.1. Fixes #18986.

  • December 7th, 2023

    • [renodr] - Update to libxml2-2.12.2. Fixes #18982.

    • [renodr] - Update to nautilus-45.2.1. Fixes #18980.

    • [renodr] - Update to glib-2.78.3. Fixes #18977.

    • [ken] - Revise 'Tuning Fontconfig' and 'TTF and OTF Fonts' to reflect the current position with fontconfig-2.14+. Fixes #18716.

  • December 6th, 2023

    • [bdubbs] - Update to libei-1.2.0. Fixes #18975.

    • [rahul] - Update to cURL-8.5.0 (Security Update). Fixes #18976.

    • [rahul] - Update to libnl-3.9.0. Fixes #18970.

    • [rahul] - Update to gdb-14.1. Fixes #18962.

    • [pierre] - Fix building libgsf against libxml-2.12.x.

    • [renodr] - Update to WebKitGTK-2.42.3 (Security Update). Fixes #18972.

  • December 5th, 2023

    • [renodr] - Update to enchant-2.6.3. Fixes #18957.

    • [rahul] - Update to wireplumber-0.4.17. Fixes #18966.

    • [rahul] - Update to libavif-1.0.3. Fixes #18968.

    • [rahul] - Update to pygments-2.17.2. Fixes #18969.

    • [rahul] - Update to feh-3.10.2. Fixes #18971.

    • [renodr] - Update to poppler-23.12.0. Fixes #18948.

    • [renodr] - Update to vulkan-loader-1.3.272. Fixes #18974.

    • [renodr] - Update to vulkan-headers-1.3.272. Fixes #18973.

    • [bdubbs] - Update to parole-4.18.1. Fixes #18941.

    • [bdubbs] - Update to xfce4-settings-4.18.4. Fixes #18940.

    • [bdubbs] - Update to xfce4-power-manager-4.18.3. Fixes #18939.

    • [bdubbs] - Update to tumbler-4.18.2. Fixes #18938.

    • [renodr] - Update the systemd-units tarball to 20231205. This release primarily removes old targets and units.

  • December 4th, 2023

    • [renodr] - Update to gnome-maps-45.2. Fixes #18965.

    • [renodr] - Update to file-roller-43.1. Fixes #18964.

    • [renodr] - Update to nautilus-45.2. Fixes #18963.

    • [renodr] - Update to mutter-45.2. Fixes #18961.

    • [renodr] - Update to gnome-shell-extensions-45.2. Fixes #19860.

    • [renodr] - Update to gnome-shell-45.2. Fixes #18960.

    • [renodr] - Update to gjs-1.78.1. Fixes #18959.

    • [renodr] - Update to Text-CSV-2.04 (Perl Module). Fixes #18958.

    • [renodr] - Update to Text-CSV_XS-1.53 (Perl Module). Fixes #18958.

    • [renodr] - Update to evolution-3.50.2. Fixes #18950.

    • [renodr] - Update to evolution-data-server-3.50.2. Fixes #18950.

    • [renodr] - Update to libadwaita-1.4.2. Fixes #18949.

    • [renodr] - Update to libseccomp-2.5.5. Fixes #18947.

    • [pierre] - Update to blfs-sytemd-units-20231204. Fixes #18951.

    • [pierre] - Update to kea-2.4.1. Fixes #18953.

  • December 3rd, 2023

    • [bdubbs] - Update to cryptsetup-2.6.1. Fixes #18955.

    • [bdubbs] - Update to shared-mime-info-2.4. Fixes #18954.

    • [renodr] - Add libplacebo to the book in support of mpv.

    • [renodr] - Add glad to the book in support of libplacebo.

    • [renodr] - Add support for Vulkan to the book. This is in support of libplacebo, but also since it is used in more packages. This involves the addition of SPIRV-Headers, SPIRV-Tools, glslang, Vulkan-Headers, and Vulkan-Loader.

    • [renodr] - Disable the usage of libplacebo in VLC. It's broken due to major API changes in libplacebo, and will not be fixed until VLC-4.

    • [renodr] - Enable support for Vulkan in Mesa. This includes the addition of Vulkan drivers.

    • [renodr] - Add support for Vulkan to ffmpeg, Qt5, Qt6, gst-plugins-bad, gtksourceview5, and pipewire.

    • [renodr] - Document support for Vulkan in GTK4.

    • [renodr] - Update to mpv-0.37.0. Fixes #18901.

    • [xry111] - Update to llvm-17.0.6. Fixes #18672.

  • December 1st, 2023

    • [bdubbs] - Update to cmake-3.27.9. Fixes #18932.

    • [bdubbs] - Update to mupdf-1.23.7. Fixes #18935.

    • [bdubbs] - Update to gpgme-1.23.2. Fixes #18930.

    • [renodr] - Update to gnome-disk-utility-45.1. Fixes #18946.

    • [renodr] - Update to c-ares-1.23.0. Fixes #18945.

    • [renodr] - Update to python-dbusmock-0.30.0 (Python Module). Fixes #18944.

    • [renodr] - Update to mlt-7.22.0. Fixes #18936.

    • [rahul] - Update to mariadb-10.11.6 (Security Update). Fixes #18937.

  • November 30th, 2023

    • [renodr] - Update to qtwebengine-5.15.17 (Security Update). Fixes #18942.

    • [timtas] - Update to v4l-utils-1.26.0. Fixes #18916.

  • November 29th, 2023

    • [renodr] - Update to sphinx-rtd-theme-2.0.0 (Python Module). Fixes #18933.

    • [renodr] - Update to jasper-4.1.1. Fixes #18931.

    • [rahul] - Update to nss-3.95. Fixes #18924.

  • November 28th, 2023

    • [renodr] - Fix building sendmail now that Berkeley DB has been archived. Thanks goes to Joe Locash for the report and the solution. Fixes #18929.

    • [bdubbs] - Update to libqalculate-4.9.0. Fixes #18925.

    • [bdubbs] - Update to qt-everywhere-src-6.6.1. Fixes #18921.

    • [renodr] - Update to thunderbird-115.5.1. Fixes #18928.

    • [bdubbs] - Fix building obconf-qt with libxml2-2.12.x. Thanks to Joe Locash for the report and instructions. Fixes #18923.

    • [bdubbs] - Update to Net-DNS-1.41 (Perl module). Fixes #18926.

    • [bdubbs] - Update to pipewire-1.0.0. Fixes #18917.

    • [renodr] - Update to inkscape-1.3.2. Fixes #18927.

    • [renodr] - Update to samba-4.19.3. Fixes #18922.

    • [renodr] - Update to libwacom-2.9.0. Fixes #18920.

  • November 26th, 2023

    • [renodr] - Fix building evolution-data-server with libxml2-2.12.x. Fixes #18918.

    • [renodr] - Update to libreoffice- Fixes #18907.

  • November 25th, 2023

    • [bdubbs] - Update to sqlite-autoconf-3430200 (3.44.2). Fixes #18915.

    • [bdubbs] - Update to gi-docgen-2023.3. Fixes #18914.

  • November 24th, 2023

    • [renodr] - Update to node.js-v20.10.0. Fixes #18904.

    • [bdubbs] - Update to php-8.3.0. Fixes #18912.

    • [rahul] - Update to intel-gmmlib-22.3.14. Fixes #18911.

    • [bdubbs] - Update to LVM2.2.03.23. Fixes #18903.

    • [renodr] - Update to wireplumber-0.4.16. Fixes #18905.

    • [renodr] - Update to libxml2-2.12.1. Fixes #18913.

  • November 23rd, 2023

    • [renodr] - Update to sqlite-3.44.1. Fixes #18906.

    • [renodr] - Fix building WebKitGTK-2.42.0 with libxml2-2.12.x. Fixes #18909.

    • [rahul] - Update to intel-media-23.4.1. Fixes #18861.

    • [rahul] - Update to intel-gmmlib-23.3.13. Fixes #18857.

  • November 22nd, 2023

    • [renodr] - Update to mercurial-6.3. Fixes #18899.

    • [renodr] - Update to Thunderbird-115.5.0 (Security Update). Fixes #18900.

    • [bdubbs] - Archive Berkeley DB. Fixes #18871.

    • [renodr] - Fix building libsoup2 with libxml2-2.12.0. Fixes #18902.

    • [bdubbs] - Update to libaom-3.7.1. Fixes #18897.

    • [bdubbs] - Update to libdrm-2.4.118. Fixes #18896.

    • [bdubbs] - Update to git-2.43.0. Fixes #18895.

  • November 21st, 2023

    • [ken] - Update to spidermonkey-115.5.0. Fixes #18892.

    • [bdubbs] - Update to ibus-1.5.29. Fixes #18882.

    • [ken] - Update to firefox-115.5.0 (Security Updated). Fixes #18891.

  • November 20th, 2023

    • [bdubbs] - Add instructions to create/install libuv man page. Fixes #18879.

    • [ken] - Update to dvisgm-3.1.2. Fixes #18707.

    • [renodr] - Update to rustc-1.74.0. Fixes #18876.

    • [renodr] - Update to inkscape-1.3.1. Fixes #18888.

    • [renodr] - Update to gtk-4.12.4. Fixes #18884.

    • [renodr] - Update to c-ares-1.22.1. Fixes #18890.

    • [renodr] - Update to SCons-4.6.0. Fixes #18889.

    • [renodr] - Update to Pygments-2.17.1 (Python Module). Fixes #18887.

    • [renodr] - Update to lsof-4.99.0. Fixes #18886.

    • [bdubbs] - Update to log4cplus-2.1.1. Fixes #18881.

    • [bdubbs] - Update to libxml2-2.12.0. Fixes #18880.

    • [bdubbs] - Update to pipewire-0.3.85. Fixes #18873.

    • [bdubbs] - Update to libksba-1.6.5. Fixes #18873.

  • November 19th, 2023

    • [timtas] - Update to nfs-utils-2.6.4. Fixes #18883.

  • November 17th, 2023

    • [bdubbs] - Add qt6. Fixes #14356.

    • [renodr] - Update to gnome-bluetooth-42.7. Fixes #18877.

    • [renodr] - Update to libavif-1.0.2. Fixes #18875.

    • [renodr] - Update to libxslt-1.1.39. Fixes #18874.

    • [renodr] - Fix a build failure in raptor2 when libxml2-2.11.x is installed. Thanks goes to Joe Locash for the report. Fixes #18872.

    • [timtas] - Update to exim-4.97. Fixes #18818.

    • [bdubbs] - Add File::FcntlLock-0.22 (Perl module) in support of exim #18818.

  • November 16th, 2023

    • [bdubbs] - Update to mupdf-1.23.6. Fixes #18870.

    • [bdubbs] - Update to wireshark-4.2.0. Fixes #18868.

    • [bdubbs] - Update to bind-9.18.20. Fixes #18867.

    • [bdubbs] - Update to cmake-3.27.8. Fixes #18866.

    • [renodr] - Update to Thunderbird-115.4.3. Fixes #18869.

    • [renodr] - Patch gnome-shell-extensions to fix a crash when using the Workspace Indicator extension.

    • [renodr] - Update to Encode-JIS2K-0.03 (Perl Module). Fixes #18865.

    • [renodr] - Update to p11-kit-0.25.3. Fixes #18863.

    • [renodr] - Update to gnutls-3.8.2 (Security Update). Fixes #18862.

    • [renodr] - Change cyrus-sasl to use LMDB instead of Berkeley DB. Addresses #18871.

  • November 15th, 2023

    • [bdubbs] - Update to libgcrypt-1.10.3. Fixes #18858.

    • [bdubbs] - Update to plasma-wayland-protocols-1.11.1. Fixes #18859.

    • [timtas] - Update to faad2-2.11.1. Fixes #18860.

  • November 14th, 2023

    • [renodr] - Update the gstreamer stack to 1.22.7 (Security Update). Fixes #18853.

    • [renodr] - Update to c-ares-1.22.0. Fixes #18855.

    • [bdubbs] - Update to vala-0.56.14. Fixes #18852.

    • [bdubbs] - Update to btrfs-progs-v6.6.1. Fixes #18854.

  • November 13th, 2023

    • [rahul] - Update to ffmpeg-6.1. Fixes #18845.

    • [xry111] - Update to vim-9.0.2103. Addresses #12241.

  • November 12th, 2023

    • [bdubbs] - Update to btrfs-progs-6.6. Fixes #18815.

    • [xry111] - Update to AppStream-1.0.0. Fixes #18843.

    • [rahul] - Update to dhcpcd-10.0.5. Fixes #18844.

    • [bdubbs] - Update to numpy-1.26.2 (Python module). Fixes #18851.

    • [renodr] - Update to WebKitGTK+-2.42.2 (Security Update). Fixes #18531.

    • [bdubbs] - Update to harfbuzz-8.3.0. Fixes #18849.

    • [pierre] - Update to sudo-1.9.15p2. Fixes #18848.

  • November 11th, 2023

    • [xry111] - Archive libxml2 Python 2 module. Part of #11459.

    • [xry111] - Update to libxml2-2.11.5. Fixes #18847 and #18846.

    • [bdubbs] - Archive GConf. Fixes #18830.

    • [timtas] - Update to sudo-1.9.15. Fixes #18822.

  • November 10th, 2023

    • [renodr] - Update to postgresql-16.1 (Security Update). Fixes #18841.

    • [pierre] - Archive little CMS (version 1). Fixes #18840.

    • [xry111] - Archive autoconf-2.13. Fixes #18459.

    • [rahul] - Update to ffmpeg 6.0.1. Fixes #18842.

  • November 9th, 2023

    • [ken] - Simplify the 'Prefer chosen CJK fonts' example in 'tuning fontconfig' and ensure that DejaVu fonts are preferred for non-CJK.

    • [bdubbs] - Update to autofs-5.1.9. Fixes #18832.

    • [bdubbs] - Update to unbound-1.19.0. Fixes #18839.

    • [bdubbs] - Update to Mako-1.3.0. Fixes #18838.

    • [xry111] - Fix an issue with WebKitGTK-2.42.1 breaking various Web sites.

    • [renodr] - Update to libcloudproviders-0.3.5. Fixes #18837.

    • [pierre] - Fix wireshark for building with Python-3.12. Part of #18798.

  • November 8th, 2023

    • [bdubbs] - Update to lxqt-1.4.0 and associated packages. Fixes #18820.

    • [renodr] - Update to thunderbird-115.4.2. Fixes #18834.

    • [renodr] - Update to plasma-wayland-protocols-1.11.0. Fixes #18833.

    • [renodr] - Update to libgusb-0.4.8. Fixes #18831.

    • [renodr] - Update to mupdf-1.23.5. Fixes #18829.

    • [renodr] - Update to xapian-core-1.4.24. Fixes #18824.

    • [renodr] - Update to GIMP-2.10.36 (Security Update). Fixes #18836.

    • [renodr] - Update to faad2-2.11.0 (Security Update). Fixes #18835.

    • [pierre] - Update to mercurial-6.5.3. Fixes #18827.

  • November 7th, 2023

    • [pierre] - Fix libreoffice for ICU 74. Part of #18799.

    • [renodr] - Adapt itstool to changes in Python-3.12. Addresses #18798.

    • [renodr] - Update to epiphany-45.1. Fixes #18828.

    • [renodr] - Update to IO-Socket-SSL-2.084 (Perl Module). Fixes #18826.

    • [renodr] - Update to libuv-1.47.0. Fixes #18823.

    • [renodr] - Update to jasper-4.1.0. Fixes #18819.

    • [renodr] - Fix building ffmpeg-6.0 with Texinfo-7.1 installed. Fixes #18821.

    • [renodr] - Update to exiv2-0.28.1 (Security Update). Fixes #18825.

    • [xry111] - Fix SeaMonkey for Python 3.12 and ICU 74. Part of #18798 and #18799.

  • November 6th, 2023

    • [pierre,xry111] - Fix qtwebengine for python 3.12 and ICU 74. Part of #18798 and #18799.

  • November 5th, 2023

    • [bdubbs] - Update to jasper-4.0.1. Fixes #18817.

  • November 3rd, 2023

    • [rahul] - Update to git-2.42.1. Fixes #18809.

    • [rahul] - Update to pipewire-0.3.84. Fixes #18814.

    • [rahul] - Update to SDL2-2.28.5. Fixes #18813.

    • [rahul] - Update to icewm-3.4.4. Fixes #18811.

    • [bdubbs] - Update to node-v20.9.0. Fixes #18804.

    • [bdubbs] - Update to postfix-3.8.3. Fixes #18801.

    • [bdubbs] - Update to poppler-23.11.0. Fixes #18800.

    • [bdubbs] - Add sysmon-qt-1.0.

    • [renodr] - Update to gnumeric-1.12.56. Fixes #18812.

    • [renodr] - Update to goffice-0.10.56. Fixes #18810.

    • [renodr] - Update to libgsf-1.14.51. Fixes #18808.

    • [renodr] - Update to sqlite-3.44.0. Fixes #18802.

    • [timtas] - Update to ghostscript-10.02.1. Fixes #18803.

  • November 2nd, 2023

    • [rahul] - Update to c-ares-1.21.0. Fixes #18783.

    • [rahul] - Update to nghttp2-1.58.0. Fixes #18784.

    • [bdubbs] - Update to kuserfeedback-1.3.0. Fixes #18807.

    • [bdubbs] - Update to phonon-backend-vlc-0.12.0. Fixes #18806.

    • [bdubbs] - Archive phonon-backend-gstreamer.

    • [bdubbs] - Update to phonon-4.12.0. Fixes #18805.

    • [renodr] - Update to tracker-miners-3.6.2. Fixes #18796.

    • [renodr] - Update to mutter-45.1. Fixes #18795.

    • [renodr] - Update to gnome-shell-extensions-45.1. Fixes #18794.

    • [renodr] - Update to gnome-shell-45.1. Fixes #18793.

    • [renodr] - Update to libsoup-3.4.4. Fixes #18780.

    • [renodr] - Update to gnome-control-center-45.1. Fixes #18769.

    • [renodr] - Update to nautilus-45.1. Fixes #18765.

    • [renodr] - Update to gnome-maps-45.1. Fixes #18761.

    • [renodr] - Update to eog-45.1. Fixes #18760.

    • [renodr] - Update to libshumate-1.1.2. Fixes #18759.

    • [renodr] - Update to gnome-user-docs-45.1. Fixes #18758.

    • [renodr] - Update to evolution-3.50.1. Fixes #18753.

    • [renodr] - Update to evolution-data-server-3.50.1. Fixes #18753.

    • [renodr] - Update to thunderbird-115.4.1 (Security Update). Fixes #18774.

    • [renodr] - Update to OpenJDK-21.0.1 (Security Update). Fixes #18743.

  • November 1st, 2023

    • [bdubbs] - Update to xfconf-4.18.3. Fixes #18797.

    • [bdubbs] - Update to valgrind-3.22.0. Fixes #18792.

    • [bdubbs] - Update to icu4c-74_1-src. Fixes #18791.

    • [bdubbs] - Update to p11-kit-0.25.2. Fixes #18790.

  • October 31st, 2023

    • [bdubbs] - Update to vlc-3.0.20. Fixes #18789.

    • [bdubbs] - Update to usbutils-017. Fixes #18788.

    • [bdubbs] - Update to shadow-4.14.2. Fixes #18786.

    • [bdubbs] - Update to Python-3.12.0. Fixes #18664.

    • [renodr] - Update to intel-media-23.4.0. Fixes #18781.

  • October 30th, 2023

    • [rahul] - Add OpenSSH as a recommended dependency of gcr-4.

    • [renodr] - Fix problems with the recent sandbox tightening in tracker-miners on both i686 and x86_64. Fixes #18715.

    • [ken] - Update to qtwebengine-5.15.16 (Security Update). Fixes #18787.

  • October 29th, 2023

    • [bdubbs] - Update to enchant-2.6.2. Fixes #18785.

    • [bdubbs] - Update to gpgme-1.23.1. Fixes #18782.

    • [bdubbs] - Update to php-8.2.12. Fixes #18779.

    • [bdubbs] - Update to p11-kit-0.25.1. Fixes #18778.

  • October 27th, 2023

    • [bdubbs] - Update to xwayland-23.2.2. Fixes #18772.

    • [timtas] - Update to xorg-server-21.1.9. Fixes #18771.

  • October 26th, 2023

    • [bdubbs] - Update to newt-0.52.24. Fixes #18777.

    • [bdubbs] - Update to glib-2.78.1. Fixes #18776.

    • [bdubbs] - Update to gpgme-1.23.0. Fixes #18775.

  • October 25th, 2023

    • [bdubbs] - Update to pytest-7.4.3 (Python module). Fixes #18770.

    • [timtas] - Update to thunar-4.18.8. Fixes #18773.

  • October 24th, 2023

    • [ken] - Update to SpiderMonkey 115.4.0 (Security Update). Fixes #18767.

    • [ken] - Update to firefox-115.4.0 (Security Update). Fixes #18766.

  • October 23rd, 2023

    • [bdubbs] - Update to xterm-388. Fixes #18764.

    • [bdubbs] - Update to usbutils-016. Fixes #18763.

    • [bdubbs] - Update to pycairo3-1.25.1 (Python module). Fixes #18757.

    • [bdubbs] - Update to highlight-4.10. Fixes #18756.

    • [bdubbs] - Update to btrfs-progs-v6.5.3. Fixes #18755.

    • [bdubbs] - Update to libdrm-2.4.117. Fixes #18752.

  • October 20th, 2023

    • [timtas] - Update to gvfs-1.52.1. Fixes #18754.

    • [timtas] - Update to xfce4-notifyd-0.9.3. Fixes #18762.

    • [timtas] - Update to dhcpcd-10.0.4. Fixes #18744.

  • October 20th, 2023

    • [renodr] - Fix a regression in alsa-lib that causes segmentation faults whenever audio is played on i686. Fixes #18751.

    • [bdubbs] - Removed most references to the update-leap script in ntp. Fixes #18738.

    • [renodr] - Update to Thunderbird-115.3.3. Fixes #18742.

    • [renodr] - Update to intel-media-driver-23.3.5. Fixes #18749.

    • [renodr] - Update to intel-gmmlib-22.3.12. Fixes #18724.

    • [bdubbs] - Update to pipewire-0.3.83. Fixes #18750.

    • [bdubbs] - Update to gucharmap-15.1.2. Fixes #18748.

    • [bdubbs] - Update to gnome-terminal-3.50.1. Fixes #18747.

    • [bdubbs] - Update to vte-0.74.1. Fixes #18746.

    • [bdubbs] - Update to httpd-2.4.58 (Security Update). Fixes #18745.

  • October 19th, 2023

    • [bdubbs] - Update to xfce4-dev-tools-4.18.1. Fixes #18741.

    • [bdubbs] - Update to highlight-4.9. Fixes #18740.

    • [bdubbs] - Update to libbytesize-2.10. Fixes #18739.

    • [bdubbs] - Update to harfbuzz-8.2.2. Fixes #18737.

    • [bdubbs] - Update to libsigc++-2.12.1. Fixes #18736.

    • [bdubbs] - Update to xfconf-4.18.2. Fixes #18734.

    • [bdubbs] - Update to node.js-18.18.2 (Security Update). Fixes #18733.

    • [bdubbs] - Update to libxkbcommon-1.6.0. Fixes #18732.

    • [bdubbs] - Update to libqalculate-4.8.1. Fixes #18731.

    • [bdubbs] - Update to libpaper-2.1.2. Fixes #18730.

    • [bdubbs] - Update to libnvme-1.6. Fixes #18729.

    • [bdubbs] - Update to libical-3.0.17. Fixes #18728.

    • [bdubbs] - Update to libgusb-0.4.7. Fixes #18727.

  • October 18th, 2023

    • [bdubbs] - Update to libblockdev-3.0.4. Fixes #18726.

    • [bdubbs] - Update to enchant-2.6.1. Fixes #18723.

    • [bdubbs] - Update to qpdf-11.6.3. Fixes #18721.

    • [bdubbs] - Update to libjpeg-turbo-3.0.1. Fixes #18720.

    • [bdubbs] - Update to xfce4-terminal-1.1.1. Fixes #18712.

  • October 17th, 2023

    • [pierre] - Update to pipewire-0.3.82. Fixes #18709.

    • [pierre] - Update to wireplumber-0.4.15. Fixes #18706.

    • [pierre] - Update to thunderbird-115.3.2. Fixes #18653.

    • [pierre] - Update to exim-4.96.2 (security update). Fixes #18714.

    • [timtas] - Update to samba-4.19.2. Fixes #18722.

    • [timtas] - Update to qemu-8.1.2. Fixes #18719.

  • October 16th, 2023

    • [timtas] - Remove libxpresent dependency from xfwm4-4.18.0. It is now part of Xorg Libraries.

    • [renodr] - Apply a patch to Seamonkey to fix several security vulnerabilities in it's bundled libvpx.

    • [renodr] - Update to xterm-387. Fixes #18718.

    • [renodr] - Update to doxyqml-0.5.3 (Python Module). Fixes #18717.

    • [renodr] - Update to numpy-1.26.1 (Python Modules). Fixes #18710.

    • [renodr] - Update to libnsl-2.0.1. Fixes #18708.

    • [bdubbs] - Add libXpresent-1.0.1 to xorg libraries. Needed to support mpv.

  • October 15th, 2023

    • [bdubbs] - Update to vlc-3.0.19. Fixes #18692.

    • [bdubbs] - Update to shadow-4.14.1. Fixes #18679.

    • [ken] - fontconfig-2.14 changed the defaults from DejaVu to Noto fonts. Add a note in tuning-fontconfig, pending review of the details. Addresses #18716.

    • [pierre] - Update to cups-filters-2.0.0. Fixes #18656.

    • [pierre] - Add cups-browsed-2.0.0. This is needed for the new version of cups-filters and the upcoming CUPS v3.

    • [pierre] - Add libppd-2.0.0. This is needed for the new version of cups-filters and the upcoming CUPS v3.

    • [pierre] - Add libcupsfilters-2.0.0. This is needed for the new version of cups-filters and the upcoming CUPS v3.

    • [timtas] - Add mpv-0.36.0 to Video Utilities.

  • October 13th, 2023

    • [rahul] - Update to gtk4-4.12.3. Fixes #18627.

  • October 13th, 2023

    • [bdubbs] - Update to xfsprogs-6.5.0. Fixes #18704.

    • [bdubbs] - Update to Test-Differences-0.71 (Perl module). Fixes #18705.

  • October 12th, 2023

    • [bdubbs] - Update to xscreensaver-6.08. Fixes #18700.

    • [bdubbs] - Update to iptables-1.8.10. Fixes #18694.

    • [bdubbs] - Update to proftpd-1.3.8a. Fixes #18691.

    • [bdubbs] - Update to libva-2.20.0. Fixes #18687.

    • [bdubbs] - Update to btrfs-progs-v6.5.2. Fixes #18674.

    • [bdubbs] - Update to desktop-file-utils-0.27. Fixes #18680.

    • [bdubbs] - Update to mpg123-1.32.3. Fixes #18669.

    • [bdubbs] - Update to mlt-7.20.0. Fixes #18668.

    • [bdubbs] - Update to poppler-23.10.0. Fixes #18663.

    • [bdubbs] - Update to SDL2-2.28.4. Fixes #18660.

    • [bdubbs] - Update to xfce4-pulseaudio-plugin-0.4.8. Fixes #18659.

    • [renodr] - Update to mupdf-1.23.4. Fixes #18701.

    • [renodr] - Update to fuse-3.16.2. Fixes #18695.

    • [renodr] - Update to libtirpc-1.3.4. Fixes #18690.

    • [renodr] - Update to c-ares-1.20.1. Fixes #18689.

    • [renodr] - Update to qpdf-11.6.2. Fixes #18688.

    • [renodr] - Update to wireshark-4.0.10. Fixes #18676.

  • October 11th, 2023

    • [timtas] - Update to SQLite-3.43.2. Fixes #18698.

    • [bdubbs] - Update to xterm-386. Fixes #18693.

    • [renodr] - Update to curl-8.4.0 (Security Update). Fixes #18702.

    • [renodr] - Update to libnotify-0.8.3 (Security Update). Fixes #18699.

    • [renodr] - Update to nghttp2-1.57.0 (Security Update). Fixes #18697.

    • [xry111] - Fix a crash in vala-0.56.13 vapigen program which may be triggered building NetworkManager-1.44.2. Fixes #18703.

    • [timtas] - Update to samba-4.19.1. Fixes #18696.

    • [pierre] - Update to Qt-5.15.11. Fixes #18678.

  • October 10th, 2023

    • [bdubbs] - Update to pipewire-0.3.81. Fixes #18686.

    • [renodr] - Update to unrar-6.2.12. Fixes #18681.

    • [renodr] - Update to network-manager-applet-1.34.0. Fixes #18682.

    • [renodr] - Update to NetworkManager-1.44.2. Fixes #18673.

    • [renodr] - Update to tracker-miners-3.6.1. Fixes #18652.

    • [renodr] - Update to opencv-4.8.1. Fixes #18645.

  • October 9th, 2023

    • [renodr] - Update to xkeyboard-config-2.40. Fixes #18683.

    • [renodr] - Update to libXrandr-1.5.4 (Xorg Library). Fixes #18677.

    • [renodr] - Update to packaging-23.2 (Python Modules). Fixes #18657.

    • [renodr] - Update to libXpm-3.5.17 (Security Update). Fixes #18671.

    • [renodr] - Update to libX11-1.8.7 (Security Update). Fixes #18670.

  • October 8th, 2023

    • [thomas] - Update cmake-3.27.7. Fixes #18684.

    • [xry111] - Update to rustc-1.73.0. Fixes #18613.

    • [thomas] - Update php-8.2.11. Fixes #18647.

    • [thomas] - Update openssh-9.5p1. Fixes #18675.

    • [timtas] - Update dhcpcd-10.0.3. Fixes #18685.

  • October 7th, 2023

    • [rahul] - Update libvpx-1.13.1. Fixes #18654.

    • [rahul] - Update xterm-385. Fixes #18658.

  • October 4th, 2023

    • [rahul] - Update to feh-3.10.1. Fixes #18667.

    • [rahul] - Update to icewm-3.4.3. Fixes #18666.

  • October 3rd, 2023

    • [timtas] - Update to nss-3.94. Fixes #18662.

    • [timtas] - Update to exim-4.96.1. Fixes #18665.

  • October 1st, 2023

    • [rahul] - Update to bluez-5.70. Fixes #18646.

    • [rahul] - Update to intel-media-23.3.4. Fixes #18650.

  • September 30th, 2023

    • [pierre] - Update to libreoffice-7.6.2. Fixes #18639.

  • September 29th, 2023

    • [xry111] - Add libvpx security fix patch. Fixes #18651.

  • September 28th, 2023

    • [renodr] - Archive XSane. It has been replaced with Simple Scan. Fixes #18532.

    • [renodr] - Remove sane-frotends from the book. It has been replaced with Simple Scan. Part of #18532.

    • [renodr] - Update to mpg123-1.32.2. Fixes #18633.

    • [renodr] - Update to sdl12-compat-1.2.68. Fixes #18640.

    • [renodr] - Update to xfce4-panel-4.18.5. Fixes #18641.

    • [renodr] - Update to imlib2-1.12.1. Fixes #18628.

    • [renodr] - Update to cairo-1.18.0. Fixes #17618.

    • [renodr] - Update to WebKitGTK+-2.42.1 (Security Update). Fixes #18644.

    • [pierre] - Update to OpenJDK-21. Fixes #18611.

  • September 27th, 2023

    • [renodr] - Update to Thunderbird-115.3.0 (Security Update). Fixes #18624.

    • [renodr] - Update to seamonkey- (Security Update). Fixes #18622.

    • [renodr] - Update to pycairo-1.25.0 (Python Module). Fixes #18638.

    • [renodr] - Update to epiphany-45.0. Fixes #18572.

    • [renodr] - Update to gucharmap-15.1.1. Fixes #18596.

    • [renodr] - Update to gnome-weather-45.0. Fixes #18610.

    • [renodr] - Update to gnome-terminal-3.50.0. Fixes #18595.

    • [renodr] - Update to gnome-system-monitor-45.0.2. Fixes #18591.

    • [renodr] - Update to gnome-maps-45.0. Fixes #18590.

    • [renodr] - Update to gnome-calculator-45.0.2. Fixes #18608.

    • [renodr] - Update to evince-45.0. Fixes #18609.

    • [renodr] - Update to eog-45.0. Fixes #18597.

    • [renodr] - Update to baobab-45.0. Fixes #18615.

    • [renodr] - Archive Cogl. It was only used by Clutter. Finishes #18643.

    • [renodr] - Archive clutter. It is no longer used. Addresses #18643.

    • [renodr] - Archive clutter-gst. It was only used by Cheese. Addresses #18643.

    • [renodr] - Archive clutter-gtk. It was only used by Cheese. Addresses #18643.

    • [renodr] - Archive Cheese. It has been replaced with Snapshot. Fixes #18620.

    • [renodr] - Add Snapshot to the book, replacing Cheese. Fixes #18620.

    • [renodr] - Add Wireplumber to the book in support of Snapshot. Fixes #18642.

    • [renodr] - Update to Xwayland-23.2.1. Fixes #18616.

    • [timtas] - Fix -Denable-printing=true in epdfview.

  • September 26th, 2023

    • [ken] - Use the gtk3 fork of epdfview. Addresses #18531.

    • [renodr] - Fix dependencies in adwaita-icon-theme.

    • [ken] - Update to dvisvgm-3.1.1. Fixes #18477.

    • [ken] - Update to SpiderMonkey 115.3.0 Fixes #18636.

    • [pierre] - Update to make-ca-1.13. Fixes #18637.

    • [ken] - Update to firefox-115.3.0, Security Update. Fixes #18635.

    • [renodr] - Add simple-scan to the book. This will eventually replace XSane. Fixes #18532.

    • [thomas] - Upgrade to cmake-3.27.6. Fixes #18621.

  • September 25th, 2023

    • [timtas] - Update to xfce4-notifyd-0.9.2. Fixes #18625.

    • [xry111] - Archive libchamplain as it's obsolete.

  • September 23rd, 2023

    • [timtas] - Update to qemu-8.1.1. Fixes #18626.

  • September 22nd, 2023

    • [renodr] - Update to gnome-user-docs-45.0. Fixes #18581.

    • [renodr] - Update to gnome-session-45.0. Fixes #18583.

    • [renodr] - Update to gnome-shell-extensions-45.0. Fixes #18579.

    • [renodr] - Update to gdm-45.0.1. Fixes #18584.

    • [renodr] - Update to gnome-shell-45.0. Fixes #18579.

    • [renodr] - Update to mutter-45.0. Fixes #18580.

    • [renodr] - Update to gnome-control-center-45.0. Fixes #18570.

    • [renodr] - Update to gnome-settings-daemon-45.0. Fixes #18588.

    • [renodr] - Update to nautilus-45.0. Fixes #18582.

    • [renodr] - Update to gvfs-1.52.0. Fixes #18571.

    • [renodr] - Update to gnome-backgrounds-45.0. Fixes #18598.

    • [renodr] - Update to dconf-editor-45.0.1. Fixes #18614.

    • [renodr] - Update to libsecret-0.21.1. Fixes #18629.

    • [renodr] - Add Tecla to the book in support of gnome-control-center. Fixes #18630.

    • [renodr] - Add libei to the book in support of Mutter. Fixes #18631.

  • September 21st, 2023

    • [renodr] - Update to BIND-9.18.19 (Security Update). Fixes #18619.

    • [renodr] - Update the gstreamer stack to 1.22.6 (Security Update). Fixes #18618.

    • [renodr] - Update to cups-2.4.7 (Security Update). Fixes #18623.

    • [renodr] - Update to stunnel-5.71. Fixes #18612.

    • [renodr] - Update to adwaita-icon-theme-45.0. Fixes #18607.

    • [renodr] - Update to unrar-6.2.11. Fixes #18606.

    • [renodr] - Update to harfbuzz-8.2.1. Fixes #18605.

    • [renodr] - Update to vte-0.74.0. Fixes #18594.

    • [renodr] - Update to libshumate-1.1.0. Fixes #18587.

    • [renodr] - Update to gsettings-desktop-schemas-45.0. Fixes #18585.

    • [renodr] - Update to libgweather-4.4.0. Fixes #18576.

    • [renodr] - Update to tracker-miners-3.6.0. Fixes #18575.

    • [renodr] - Update to tracker-3.6.0. Part of #18575.

    • [renodr] - Update to evolution-3.50.0. Fixes #18569.

    • [renodr] - Update to evolution-data-server-3.50.0. Part of #18569.

    • [rahul] - Update to icewm-3.4.2. Fixes #18539.

    • [rahul] - Update to mesa-23.1.8. Fixes #18617.

  • September 19th, 2023

    • [xry111] - Update to llvm-17.0.1. Fixes #18173.

    • [timtas] - Update to xfce4-notifyd-0.9.0. Fixes #18604.

    • [renodr] - Update to webkitgtk-2.42.0. Fixes #18574.

  • September 18th, 2023

    • [renodr] - Update to gtksourceview-5.10.0. Fixes #18593.

    • [renodr] - Archive libdazzle. It was only used by sysprof. Fixes #18603.

    • [renodr] - Archive sysprof. Fixes #18592.

    • [renodr] - Update to json-glib-1.8.0. Fixes #18578.

    • [renodr] - Update to gobject-introspection-1.78.1. Fixes #18577.

    • [renodr] - Update to at-spi2-core-2.50.0. Fixes #18568.

    • [renodr] - Update to libsoup-3.4.3. Fixes #18567.

    • [renodr] - Update to numpy-1.26.0 (Python Module). Fixes #18565.

    • [renodr] - Update to gnome-calculator-45.0. Fixes #18429.

    • [renodr] - Update to libadwaita-1.4.0. Fixes #18573.

    • [renodr] - Add appstream to the book in support of libadwaita. Fixes #18599.

    • [renodr] - Add libxmlb to the book in support of appstream. Fixes #18600.

    • [renodr] - Archive pycryptodome. Nothing is using it anymore, and it only was previously used by Samba. Fixes #18566.

  • September 17th, 2023

    • [xry111] - Rename "JS" to "SpiderMonkey from Firefox". Update to SpiderMonkey from Firefox-115.2.1. Update to gjs-1.78.0. Allow building Polkit with SpiderMonkey from Firefox-115. Fixes #18221.

    • [renodr] - Update to libreoffice- Fixes #18561.

    • [pierre] - Update to blfs-bootscripts-20230917: move interface to the end of the dhcpcd command in the service file. In conjunction with the item below, fixes passing hostnames to DNS.

    • [timtas] - Fix DHCP_START option in dhcpcd ifconfig example

  • September 16th, 2023

    • [renodr] - Update to glib-networking-2.78.0. Fixes #18563.

    • [renodr] - Update to dovecot-2.3.21. Fixes #18564.

    • [renodr] - Update to postgresql-16.0. Fixes #18559.

    • [renodr] - Update to cmake-3.27.5. Fixes #18558.

    • [renodr] - Update to librsvg-2.57.0. Fixes #18557.

    • [renodr] - Update the APNG patch for libpng to 1.6.40. Fixes #18556.

    • [renodr] - Update to opus-1.4. Fixes #18555.

    • [renodr] - Update to pipewire-0.3.80. Fixes #18554.

    • [renodr] - Update to cbindgen-0.26.0. Fixes #18551.

    • [renodr] - Update to tiff-4.6.0. Note that this removes several utilities which suffered from lack of maintenance. Fixes #18550.

    • [renodr] - Update to sane-backends-1.2.1. Fixes #18533.

  • September 14th, 2023

    • [renodr] - Update to gucharmap-15.1.0. Fixes #18546.

    • [renodr] - Update to gnome-disk-utility-45.0. Fixes #18540.

    • [renodr] - Update to pygobject-3.46.0 (Python Module). Fixes #18536.

    • [renodr] - Update to libarchive-3.7.2 (Security Update). Fixes #18534.

    • [renodr] - Update to cURL-8.2.1 (Security Update). Fixes #18547.

    • [renodr] - Update to thunderbird-115.2.2 (Security Update). Fixes #18541.

    • [pierre] - Update to ghostscript-10.02.0. Fixes #18553.

    • [pierre] - Update to sphinx-7.2.6 (python module). Fixes #18552.

    • [pierre] - Update to libwebp-1.3.2 (security update). Fixes #18549.

    • [pierre] - Update to btrfs-progs-6.5.1. Fixes #18548.

    • [pierre] - Update to sqlite-3.43.1. Fixes #18538.

    • [pierre] - Update to graphviz-9.0.0. Fixes #18535.

  • September 13th, 2023

    • [rahul] - Update to geoclue-2.7.1. Fixes #18537.

    • [xry111] - Archive gdk-pixbuf-xlib. Use imlib2 for icewm instead.

    • [ken] - Update to firefox-115.2.1 - this is no longer a security update if you use system libwebp, and can be ignored. Fixes #18543.

    • [ken] - Updated the libwebp patch to version 2, this adds a second chromium commit which the Debian bug pointed to. Fixes #18544.

    • [ken] - Patch libwebp-1.3.1 for a critical vulnerability. This is not the official fix, which is not yet public, but was taken from firefox's fix for its shipped libwebp in the hope it will be adequate. Addresses #18544.

  • September 12th, 2023

    • [rahul] - Remove gtk2 dependency from colord-gtk. Addresses #18531.

  • September 11th, 2023

    • [bdubbs] - Archive keybinder2. Addresses #18531.

    • [renodr] - Update to harfbuzz-8.2.0. Fixes #18522.

  • September 10th, 2023

    • [renodr] - Update to gobject-introspection-1.78.0. Fixes #18525.

    • [renodr] - Update to glib-2.78.0. Fixes #18529.

    • [rahul] - Update to intel-media-23.3.3. Fixes #18523.

    • [rahul] - Add dbus-glib as a dependency for Parole.

    • [ken] - Update to mutt-2.2.12 (Security Update). Fixes #18528.

    • [bdubbs] - Update to libportal-0.7.1. Fixes #18526.

  • September 9th, 2023

    • [thomas] - Add a wiki page for how to use LetsEncrypt certificates and manage them by certbot or uacme. Fixes #18451.

    • [rahul] - Update to mariadb-10.11.5. Fixes #18485.

  • September 8th, 2023

    • [renodr] - Update to webkitgtk-2.41.92. Fixes #18517.

    • [bdubbs] - Update to obconf-qt-0.16.3. Fixes #18521.

    • [bdubbs] - Update to udisks-2.10.1. Fixes #18514.

    • [bdubbs] - Update to sysstat-12.7.4. Fixes #18516.

    • [renodr] - Update to font-util-1.4.1 (Xorg Font). Fixes #18518.

    • [renodr] - Update to pytest-7.4.2 (Python Module). Fixes #18515.

    • [renodr] - Update to libcloudproviders-0.3.4. Fixes #18513.

  • September 7th, 2023

    • [bdubbs] - Update to poppler-23.09.0. Fixes #18508.

    • [bdubbs] - Update to mupdf-1.23.3. Fixes #18509.

    • [bdubbs] - Update to gtk-4.12.1. Fixes #18464.

    • [renodr] - Update to libportal-0.7. Fixes #18510.

    • [renodr] - Update to mesa-23.1.7. Fixes #18512.

    • [renodr] - Update to mercurial-6.5.2. Fixes #18511.

    • [bdubbs] - Update to alsa-lib alsa-utils 1.2.10. Fixes #18499.

    • [bdubbs] - Update to dbus-1.14.10. Fixes #18492.

    • [renodr] - Update to Transmission-4.0.4. Fixes #18471.

  • September 6th, 2023

    • [thomas] - Archive lxde. Fixes #18380.

    • [thomas] - Update to php-8.2.10. Fixes #18493.

    • [rahul] - Update to SDL2-2.28.3. Fixes #18498.

    • [bdubbs] - Update to btrfs-progs-v6.5. Fixes #18488.

    • [bdubbs] - Update to vim-9.0.1837. Addresses #12241.

    • [bdubbs] - Update to unbound-1.18.0. Fixes #18482.

    • [renodr] - Update to qpdf-11.6.1. Fixes #18503.

    • [renodr] - Update to gnome-system-monitor-45.0.1. Fixes #18502.

    • [renodr] - Update to mutter-44.4. Fixes #18496.

    • [renodr] - Update to gnome-shell-44.4. Fixes #18495.

    • [bdubbs] - Update to doxygen-1.9.8. Fixes #18462.

    • [renodr] - Update to libwacom-2.8.0. Fixes #18491.

    • [renodr] - Update to libaom-3.7.0. Fixes #18486.

    • [renodr] - Update to mozjs-102.15.0. Fixes #18473.

    • [renodr] - Update to libavif-1.0.1. Fixes #18469.

    • [renodr] - Update to samba-4.19.0. Fixes #18506.

  • September 5th, 2023

    • [ken] - Update to nss-3.93.0. Fixes #18484.

    • [rahul] - Update to nghttp2-1.56.0. Fixes #18507.

    • [thomas] - Update to postfix-3.8.2. Fixes #18494.

  • September 4th, 2023

    • [bdubbs] - Update to at-spi2-core-2.48.4. Fixes #18505.

    • [bdubbs] - Archive volume_key. Fixes #18487.

    • [bdubbs] - Update to libblockdev-3.0.3. Fixes #18490.

    • [bdubbs] - Update to xscreensaver-6.07. Fixes #18483.

    • [bdubbs] - Update to highlight-4.8. Fixes #18470.

    • [bdubbs] - Update to xf86-input-libinput-1.4.0. Fixes #18463.

    • [bdubbs] - Update to freetype-2.13.2. Fixes #18461.

    • [xry111] - Update to cbindgen-0.25.0. Fixes #18467.

    • [xry111] - Update to rustc-1.72.0. Fixes #18456.

    • [rahul] - Update to libnl-3.8.0. Fixes #18476.

    • [rahul] - Update to libinput-1.24.0. Fixes #18458.

    • [rahul] - Update to bluez-5.69. Fixes #18454.

  • September 3rd, 2023

    • [bdubbs] - Archive sawfish and its dependencies rep-gtk and librep. Fixes #18453.

    • [pierre] - Update to glib-2.76.5. Fixes #18501.

    • [pierre] - Update to python-3.11.5 (security update). Fixes #18455.

    • [pierre] - Update to libdrm-2.4.116. Fixes #18449.

    • [pierre] - Update to wireshark-4.0.8. Fixes #18448.

    • [pierre] - Update to URI-5.21 (perl module). Fixes #18447.

    • [pierre] - Update to mupdf-1.23.2. Fixes #18446.

    • [pierre] - Update to pipewire-0.3.79. Fixes #18445.

    • [pierre] - Update to shadow-4.14.0. Fixes #18421.

    • [renodr] - Update to pytest-7.4.1 (Python Module). Fixes #18500.

    • [renodr] - Update to intel-gmmlib-22.3.11. Fixes #18489.

    • [renodr] - Update to Net-DNS-1.40 (Perl Module). Fixes #18481.

    • [renodr] - Update to dos2unix-7.5.1. Fixes #18474.

    • [renodr] - Update to gnome-maps-44.4. Fixes #18465.

    • [thomas] - Update to thunar-4.18.7. Fixes #18497.

  • September 2nd, 2023

    • [bdubbs] - Archive reiserfsprogs. Fixes #18354.

    • [thomas] - Update to sqlite-3.43.0. Fixes #18457.

    • [thomas] - Update to traceroute-2.1.3. Fixes #18475.

    • [pierre] - Update to sphinx_rtd_theme-1.3.0 (python module). Fixes #18440.

    • [pierre] - Update to git-2.42.0. Fixes #18439.

    • [pierre] - Update to libqalculate-4.8.0. Fixes #18438.

    • [pierre] - Update to brotli-1.1.0. Fixes #18437.

    • [pierre] - Update to gpgme-1.22.0. Fixes #18436.

    • [pierre] - Update to vala-0.56.13. Fixes #18434.

    • [pierre] - Update to sphinx-7.2.5 (python module). Fixes #18427.

    • [pierre] - Update to cmake-3.27.4. Fixes #18422.

    • [pierre] - Update to sphinxcontrib-serializinghtml-1.1.9 (python module dependency), now required by sphinx-7.2.

  • September 1st, 2023

    • [bdubbs] - Release of BLFS-12.0.

Mailing Lists

The server is hosting a number of mailing lists that are used for the development of the BLFS book. These lists include, among others, the main development and support lists.

For more information regarding which lists are available, how to subscribe to them, archive locations, etc., visit

Editor Notes

The BLFS Project has created a Wiki for editors to comment on pages and instructions at

When editor notes are present, a link appears in the form right below the dependency list. The idea behind the editor notes is to give additional information about the package and/or its build instructions, common pitfalls or maybe even more sophisticated configuration for special cases of use.

The vast majority of the packages do not have editor notes.


The editor notes might be outdated. Even though the pages should be reviewed when a package is updated, it might happen that there are notes referring to an obsolete version and therefore, the notes might be out of date. Always check the date of the notes and more importantly, the version of the package the notes refer to.

Asking for Help and the FAQ

If you encounter a problem while using this book, and your problem is not listed in the FAQ (, you will find that most of the people on Internet Relay Chat (IRC) and on the mailing lists are willing to help you. An overview of the LFS mailing lists can be found in Mailing lists. To assist us in diagnosing and solving your problem, include as much relevant information as possible in your request for help.

Things to Check Prior to Asking

Before asking for help, you should review the following items:

  • Is the hardware support compiled into the kernel or available as a module to the kernel? If it is a module, is it configured properly in modprobe.conf and has it been loaded? You should use lsmod as the root user to see if it's loaded. Check the sys.log file or run modprobe <driver> to review any error message. If it loads properly, you may need to add the modprobe command to your boot scripts.

  • Are your permissions properly set, especially for devices? LFS uses groups to make these settings easier, but it also adds the step of adding users to groups to allow access. A simple usermod -G audio <user> may be all that's necessary for that user to have access to the sound system. Any question that starts out with It works as root, but not as ... requires a thorough review of permissions prior to asking.

  • BLFS liberally uses /opt/<package>. The main objection to this centers around the need to expand your environment variables for each package placed there (e.g., PATH=$PATH:/opt/kde/bin). In most cases, the package instructions will walk you through the changes, but some will not. The section called Going Beyond BLFS is available to help you check.

Things to Mention

Apart from a brief explanation of the problem you're having, the essential things to include in your request are:

  • the version of the book you are using (being 12.1),

  • the package or section giving you problems,

  • the exact error message or symptom you are receiving,

  • whether you have deviated from the book or LFS at all,

  • if you are installing a BLFS package on a non-LFS system.

(Note that saying that you've deviated from the book doesn't mean that we won't help you. It'll just help us to see other possible causes of your problem.)

Expect guidance instead of specific instructions. If you are instructed to read something, please do so. It generally implies that the answer was way too obvious and that the question would not have been asked if a little research was done prior to asking. The volunteers in the mailing list prefer not to be used as an alternative to doing reasonable research on your end. In addition, the quality of your experience with BLFS is also greatly enhanced by this research, and the quality of volunteers is enhanced because they don't feel that their time has been abused, so they are far more likely to participate.

An excellent article on asking for help on the Internet in general has been written by Eric S. Raymond. It is available online at Read and follow the hints in that document and you are much more likely to get a response to start with and also to get the help you actually need.


Many people have contributed both directly and indirectly to BLFS. This page lists all of those we can think of. We may well have left people out and if you feel this is the case, drop us a line. Many thanks to all of the LFS community for their assistance with this project.

Current Editors

  • Rahul Chandra

  • Bruce Dubbs

  • Pierre Labastie

  • Ken Moffat

  • Douglas Reno

  • Xi Ruoyao

  • Thomas Trepl

Contributors and Past Editors

The list of contributors is far too large to provide detailed information about the contributions for each contributor. Over the years, the following individuals have provided significant inputs to the book:

  • Timothy Bauscher

  • Daniel Bauman

  • Jeff Bauman

  • Andy Benton

  • Wayne Blaszczyk

  • Paul Campbell

  • Nathan Coulson

  • Jeroen Coumans

  • Guy Dalziel

  • Robert Daniels

  • Richard Downing

  • Manuel Canales Esparcia

  • Jim Gifford

  • Manfred Glombowski

  • Ag Hatzimanikas

  • Mark Hymers

  • James Iwanek

  • David Jensen

  • Jeremy Jones

  • Seth Klein

  • Alex Kloss

  • Eric Konopka

  • Larry Lawrence

  • D-J Lucas

  • Chris Lynn

  • Andrew McMurry

  • Randy McMurchy

  • Denis Mugnier

  • Billy O'Connor

  • Fernando de Oliveira

  • Alexander Patrakov

  • Olivier Peres

  • Andreas Pedersen

  • Henning Rohde

  • Matt Rogers

  • James Robertson

  • Henning Rohde

  • Chris Staub

  • Jesse Tie-Ten-Quee

  • Ragnar Thomsen

  • Tushar Teredesai

  • Jeremy Utley

  • Zack Winkles

  • Christian Wurst

  • Igor Živković

General Acknowledgments

  • Fernando Arbeiza

  • Miguel Bazdresch

  • Gerard Beekmans

  • Oliver Brakmann

  • Jeremy Byron

  • Ian Chilton

  • David Ciecierski

  • Jim Harris

  • Lee Harris

  • Marc Heerdink

  • Steffen Knollmann

  • Eric Konopka

  • Scot McPherson

  • Ted Riley

Contact Information

Please direct your emails to one of the BLFS mailing lists. See Mailing lists for more information on the available mailing lists.

Chapter 2. Important Information

This chapter is used to explain some of the policies used throughout the book, to introduce important concepts and to explain some issues you may see with some of the included packages.

Notes on Building Software

Those people who have built an LFS system may be aware of the general principles of downloading and unpacking software. Some of that information is repeated here for those new to building their own software.

Each set of installation instructions contains a URL from which you can download the package. The patches; however, are stored on the LFS servers and are available via HTTP. These are referenced as needed in the installation instructions.

While you can keep the source files anywhere you like, we assume that you have unpacked the package and changed into the directory created by the unpacking process (the source directory). We also assume you have uncompressed any required patches and they are in the directory immediately above the source directory.

We can not emphasize strongly enough that you should start from a clean source tree each time. This means that if you have had an error during configuration or compilation, it's usually best to delete the source tree and re-unpack it before trying again. This obviously doesn't apply if you're an advanced user used to hacking Makefiles and C code, but if in doubt, start from a clean tree.

Building Software as an Unprivileged (non-root) User

The golden rule of Unix System Administration is to use your superpowers only when necessary. Hence, BLFS recommends that you build software as an unprivileged user and only become the root user when installing the software. This philosophy is followed in all the packages in this book. Unless otherwise specified, all instructions should be executed as an unprivileged user. The book will advise you on instructions that need root privileges.

Unpacking the Software

If a file is in .tar format and compressed, it is unpacked by running one of the following commands:

tar -xvf filename.tar.gz
tar -xvf filename.tgz
tar -xvf filename.tar.Z
tar -xvf filename.tar.bz2


You may omit using the v parameter in the commands shown above and below if you wish to suppress the verbose listing of all the files in the archive as they are extracted. This can help speed up the extraction as well as make any errors produced during the extraction more obvious to you.

You can also use a slightly different method:

bzcat filename.tar.bz2 | tar -xv

Finally, sometimes we have a compressed patch file in .patch.gz or .patch.bz2 format. The best way to apply the patch is piping the output of the decompressor to the patch utility. For example:

gzip -cd ../patchname.patch.gz | patch -p1

Or for a patch compressed with bzip2:

bzcat ../patchname.patch.bz2 | patch -p1

Verifying File Integrity

Generally, to verify that the downloaded file is complete, many package maintainers also distribute md5sums of the files. To verify the md5sum of the downloaded files, download both the file and the corresponding md5sum file to the same directory (preferably from different on-line locations), and (assuming file.md5sum is the md5sum file downloaded) run the following command:

md5sum -c file.md5sum

If there are any errors, they will be reported. Note that the BLFS book includes md5sums for all the source files also. To use the BLFS supplied md5sums, you can create a file.md5sum (place the md5sum data and the exact name of the downloaded file on the same line of a file, separated by white space) and run the command shown above. Alternately, simply run the command shown below and compare the output to the md5sum data shown in the BLFS book.

md5sum <name_of_downloaded_file>

MD5 is not cryptographically secure, so the md5sums are only provided for detecting unmalicious changes to the file content. For example, an error or truncation introduced during network transfer, or a stealth update to the package from the upstream (updating the content of a released tarball instead of making a new release properly).

There is no 100% secure way to make sure the genuity of the source files. Assuming the upstream is managing their website correctly (the private key is not leaked and the domain is not hijacked), and the trust anchors have been set up correctly using make-ca-1.13 on the BLFS system, we can reasonably trust download URLs to the upstream official website with https protocol. Note that BLFS book itself is published on a website with https, so you should already have some confidence in https protocol or you wouldn't trust the book content.

If the package is downloaded from an unofficial location (for example a local mirror), checksums generated by cryptographically secure digest algorithms (for example SHA256) can be used to verify the genuity of the package. Download the checksum file from the upstream official website (or somewhere you can trust) and compare the checksum of the package from unofficial location with it. For example, SHA256 checksum can be checked with the command:


If the checksum and the package are downloaded from the same untrusted location, you won't gain security enhancement by verifying the package with the checksum. The attacker can fake the checksum as well as compromising the package itself.

sha256sum -c file.sha256sum

If GnuPG-2.4.4 is installed, you can also verify the genuity of the package with a GPG signature. Import the upstream GPG public key with:

gpg --recv-key keyID

keyID should be replaced with the key ID from somewhere you can trust (for example, copy it from the upstream official website using https). Now you can verify the signature with:

gpg --recv-key file.sig file

The advantage of GnuPG signature is, once you imported a public key which can be trusted, you can download both the package and its signature from the same unofficial location and verify them with the public key. So you won't need to connect to the official upstream website to retrieve a checksum for each new release. You only need to update the public key if it's expired or revoked.

Creating Log Files During Installation

For larger packages, it is convenient to create log files instead of staring at the screen hoping to catch a particular error or warning. Log files are also useful for debugging and keeping records. The following command allows you to create an installation log. Replace <command> with the command you intend to execute.

( <command> 2>&1 | tee compile.log && exit $PIPESTATUS )

2>&1 redirects error messages to the same location as standard output. The tee command allows viewing of the output while logging the results to a file. The parentheses around the command run the entire command in a subshell and finally the exit $PIPESTATUS command ensures the result of the <command> is returned as the result and not the result of the tee command.

Using Multiple Processors

For many modern systems with multiple processors (or cores) the compilation time for a package can be reduced by performing a "parallel make" by either setting an environment variable or telling the make program to simultaneously execute multiple jobs.

For instance, an Intel Core i9-13900K CPU contains 8 performance (P) cores and 16 efficiency (E) cores, and the P cores support SMT (Simultaneous MultiThreading, also known as Hyper-Threading) so each P core can run two threads simultaneously and the Linux kernel will treat each P core as two logical cores. As the result, there are 32 logical cores in total. To utilize all these logical cores running make, we can set an environment variable to tell make to run 32 jobs simultaneously:

export MAKEFLAGS='-j32'

or just building with:

make -j32

If you have applied the optional sed when building ninja in LFS, you can use:

export NINJAJOBS=32

when a package uses ninja, or just:

ninja -j32

If you are not sure about the number of logical cores, run the nproc command.

For make, the default number of jobs is 1. But for ninja, the default number of jobs is N + 2 if the number of logical cores N is greater than 2; or N + 1 if N is 1 or 2. The reason to use a number of jobs slightly greater than the number of logical cores is keeping all logical processors busy even if some jobs are performing I/O operations.

Note that the -j switches only limits the parallel jobs started by make or ninja, but each job may still spawn its own processes or threads. For example, will use multiple threads for linking, and some tests of packages can spawn multiple threads for testing thread safety properties. There is no generic way for the building system to know the number of processes or threads spawned by a job. So generally we should not consider the value passed with -j a hard limit of the number of logical cores to use. Read the section called “Use Linux Control Group to Limit the Resource Usage” if you want to set such a hard limit.

Generally the number of processes should not exceed the number of cores supported by the CPU too much. To list the processors on your system, issue: grep processor /proc/cpuinfo.

In some cases, using multiple processes may result in a race condition where the success of the build depends on the order of the commands run by the make program. For instance, if an executable needs File A and File B, attempting to link the program before one of the dependent components is available will result in a failure. This condition usually arises because the upstream developer has not properly designated all the prerequisites needed to accomplish a step in the Makefile.

If this occurs, the best way to proceed is to drop back to a single processor build. Adding -j1 to a make command will override the similar setting in the MAKEFLAGS environment variable.


Another problem may occur with modern CPU's, which have a lot of cores. Each job started consumes memory, and if the sum of the needed memory for each job exceeds the available memory, you may encounter either an OOM (Out of Memory) kernel interrupt or intense swapping that will slow the build beyond reasonable limits.

Some compilations with g++ may consume up to 2.5 GB of memory, so to be safe, you should restrict the number of jobs to (Total Memory in GB)/2.5, at least for big packages such as LLVM, WebKitGtk, QtWebEngine, or libreoffice.

Use Linux Control Group to Limit the Resource Usage

Sometimes we want to limit the resource usage when we build a package. For example, when we have 8 logical cores, we may want to use only 6 cores for building the package and reserve another 2 cores for playing a movie. The Linux kernel provides a feature called control groups (cgroup) for such a need.

Enable control group in the kernel configuration, then rebuild the kernel and reboot if necessary:

General setup --->
  [*] Control Group support --->                                       [CGROUPS]
    [*] Memory controller                                                [MEMCG]
    [*] Cpuset controller                                              [CPUSETS]

Ensure Systemd-255 and Shadow-4.14.5 have been rebuilt with Linux-PAM-1.6.0 support (if you are interacting via a SSH or graphical session, also ensure the OpenSSH-9.6p1 server or the desktop manager has been built with Linux-PAM-1.6.0). As the root user, create a configuration file to allow resource control without root privilege, and instruct systemd to reload the configuration:

mkdir -pv /etc/systemd/system/user@.service.d &&
cat > /etc/systemd/system/user@.service.d/delegate.conf << EOF &&
Delegate=memory cpuset
systemctl daemon-reload

Then logout and login again. Now to run make -j5 with the first 4 logical cores and 8 GB of system memory, issue:

systemctl   --user start dbus                &&
systemd-run --user --pty --pipe --wait -G -d \
            -p MemoryHigh=8G                 \
            -p AllowedCPUs=0-3               \
            make -j5

With MemoryHigh=8G , a soft limit of memory usage is set. If the processes in the cgroup (make and all the descendants of it) uses more than 8 GB of system memory in total, the kernel will throttle down the processes and try to reclaim the system memory from them. But they can still use more than 8 GB of system memory. If you want to make a hard limit instead, replace MemoryHigh with MemoryMax. But doing so will cause the processes killed if 8 GB is not enough for them.

AllowedCPUs=0-3 makes the kernel only run the processes in the cgroup on the logical cores with numbers 0, 1, 2, or 3. You may need to adjust this setting based the mapping between the logical cores and the physical cores. For example, with an Intel Core i9-13900K CPU, the logical cores 0, 2, 4, ..., 14 are mapped to the first threads of the eight physical P cores, the logical cores 1, 3, 5, ..., 15 are mapped to the second threads of the physical P cores, and the logical cores 16, 17, ..., 31 are mapped to the 16 physical E cores. So if we want to use four threads from four different P cores, we need to specify 0,2,4,6 instead of 0-3. Note that the other CPU models may use a different mapping scheme. If you are not sure about the mapping between the logical cores and the physical cores, run grep -E '^processor|^core' /proc/cpuinfo which will output logical core IDs in the processor lines, and physical core IDs in the core id lines.

When the nproc or ninja command runs in a cgroup, it will use the number of logical cores assigned to the cgroup as the system logical core count. For example, in a cgroup with logical cores 0-3 assigned, nproc will print 4, and ninja will run 6 (4 + 2) jobs simultaneously if no -j setting is explicitly given.

Read the man pages systemd-run(1) and systemd.resource-control(5) for the detailed explanation of parameters in the command.

Automated Building Procedures

There are times when automating the building of a package can come in handy. Everyone has their own reasons for wanting to automate building, and everyone goes about it in their own way. Creating Makefiles, Bash scripts, Perl scripts or simply a list of commands used to cut and paste are just some of the methods you can use to automate building BLFS packages. Detailing how and providing examples of the many ways you can automate the building of packages is beyond the scope of this section. This section will expose you to using file redirection and the yes command to help provide ideas on how to automate your builds.

File Redirection to Automate Input

You will find times throughout your BLFS journey when you will come across a package that has a command prompting you for information. This information might be configuration details, a directory path, or a response to a license agreement. This can present a challenge to automate the building of that package. Occasionally, you will be prompted for different information in a series of questions. One method to automate this type of scenario requires putting the desired responses in a file and using redirection so that the program uses the data in the file as the answers to the questions.

This effectively makes the test suite use the responses in the file as the input to the questions. Occasionally you may end up doing a bit of trial and error determining the exact format of your input file for some things, but once figured out and documented you can use this to automate building the package.

Using yes to Automate Input

Sometimes you will only need to provide one response, or provide the same response to many prompts. For these instances, the yes command works really well. The yes command can be used to provide a response (the same one) to one or more instances of questions. It can be used to simulate pressing just the Enter key, entering the Y key or entering a string of text. Perhaps the easiest way to show its use is in an example.

First, create a short Bash script by entering the following commands:

cat > blfs-yes-test1 << "EOF"

echo -n -e "\n\nPlease type something (or nothing) and press Enter ---> "


if test "$A_STRING" = ""; then A_STRING="Just the Enter key was pressed"
else A_STRING="You entered '$A_STRING'"

echo -e "\n\n$A_STRING\n\n"
chmod 755 blfs-yes-test1

Now run the script by issuing ./blfs-yes-test1 from the command line. It will wait for a response, which can be anything (or nothing) followed by the Enter key. After entering something, the result will be echoed to the screen. Now use the yes command to automate the entering of a response:

yes | ./blfs-yes-test1

Notice that piping yes by itself to the script results in y being passed to the script. Now try it with a string of text:

yes 'This is some text' | ./blfs-yes-test1

The exact string was used as the response to the script. Finally, try it using an empty (null) string:

yes '' | ./blfs-yes-test1

Notice this results in passing just the press of the Enter key to the script. This is useful for times when the default answer to the prompt is sufficient. This syntax is used in the Net-tools instructions to accept all the defaults to the many prompts during the configuration step. You may now remove the test script, if desired.

File Redirection to Automate Output

In order to automate the building of some packages, especially those that require you to read a license agreement one page at a time, requires using a method that avoids having to press a key to display each page. Redirecting the output to a file can be used in these instances to assist with the automation. The previous section on this page touched on creating log files of the build output. The redirection method shown there used the tee command to redirect output to a file while also displaying the output to the screen. Here, the output will only be sent to a file.

Again, the easiest way to demonstrate the technique is to show an example. First, issue the command:

ls -l /usr/bin | less

Of course, you'll be required to view the output one page at a time because the less filter was used. Now try the same command, but this time redirect the output to a file. The special file /dev/null can be used instead of the filename shown, but you will have no log file to examine:

ls -l /usr/bin | less > redirect_test.log 2>&1

Notice that this time the command immediately returned to the shell prompt without having to page through the output. You may now remove the log file.

The last example will use the yes command in combination with output redirection to bypass having to page through the output and then provide a y to a prompt. This technique could be used in instances when otherwise you would have to page through the output of a file (such as a license agreement) and then answer the question of do you accept the above?. For this example, another short Bash script is required:

cat > blfs-yes-test2 << "EOF"

ls -l /usr/bin | less

echo -n -e "\n\nDid you enjoy reading this? (y,n) "


if test "$A_STRING" = "y"; then A_STRING="You entered the 'y' key"
else A_STRING="You did NOT enter the 'y' key"

echo -e "\n\n$A_STRING\n\n"
chmod 755 blfs-yes-test2

This script can be used to simulate a program that requires you to read a license agreement, then respond appropriately to accept the agreement before the program will install anything. First, run the script without any automation techniques by issuing ./blfs-yes-test2.

Now issue the following command which uses two automation techniques, making it suitable for use in an automated build script:

yes | ./blfs-yes-test2 > blfs-yes-test2.log 2>&1

If desired, issue tail blfs-yes-test2.log to see the end of the paged output, and confirmation that y was passed through to the script. Once satisfied that it works as it should, you may remove the script and log file.

Finally, keep in mind that there are many ways to automate and/or script the build commands. There is not a single correct way to do it. Your imagination is the only limit.


For each package described, BLFS lists the known dependencies. These are listed under several headings, whose meaning is as follows:

  • Required means that the target package cannot be correctly built without the dependency having first been installed, except if the dependency is said to be runtime, which means the target package can be built but cannot function without it.

    Note that a target package can start to function in many subtle ways: an installed configuration file can make the init system, cron daemon, or bus daemon to run a program automatically; another package using the target package as an dependency can run a program from the target package in the building system; and the configuration sections in the BLFS book may also run a program from a just installed package. So if you are installing the target package without a Required (runtime) dependency installed, You should install the dependency as soon as possible after the installation of the target package.

  • Recommended means that BLFS strongly suggests this package is installed first (except if said to be runtime, see below) for a clean and trouble-free build, that won't have issues either during the build process, or at run-time. The instructions in the book assume these packages are installed. Some changes or workarounds may be required if these packages are not installed. If a recommended dependency is said to be runtime, it means that BLFS strongly suggests that this dependency is installed before using the package, for getting full functionality.

  • Optional means that this package might be installed for added functionality. Often BLFS will describe the dependency to explain the added functionality that will result. An optional dependency may be automatically pick up by the target package if the dependency is installed, but another some optional dependency may also need additional configuration options to enable them when the target package is built. Such additional options are often documented in the BLFS book. If an optional dependency is said to be runtime, it means you may install the dependency after installing the target package to support some optional features of the target package if you need these features.

    An optional dependency may be out of BLFS. If you need such an external optional dependency for some features you need, read Going Beyond BLFS for the general hint about installing an out-of-BLFS package.

Using the Most Current Package Sources

On occasion you may run into a situation in the book when a package will not build or work properly. Though the Editors attempt to ensure that every package in the book builds and works properly, sometimes a package has been overlooked or was not tested with this particular version of BLFS.

If you discover that a package will not build or work properly, you should see if there is a more current version of the package. Typically this means you go to the maintainer's web site and download the most current tarball and attempt to build the package. If you cannot determine the maintainer's web site by looking at the download URLs, use Google and query the package's name. For example, in the Google search bar type: 'package_name download' (omit the quotes) or something similar. Sometimes typing: 'package_name home page' will result in you finding the maintainer's web site.

Stripping One More Time

In LFS, stripping of debugging symbols and unneeded symbol table entries was discussed a couple of times. When building BLFS packages, there are generally no special instructions that discuss stripping again. Stripping can be done while installing a package, or afterwards.

Stripping while Installing a Package

There are several ways to strip executables installed by a package. They depend on the build system used (see below the section about build systems), so only some generalities can be listed here:


The following methods using the feature of a building system (autotools, meson, or cmake) will not strip static libraries if any is installed. Fortunately there are not too many static libraries in BLFS, and a static library can always be stripped safely by running strip --strip-unneeded on it manually.

  • The packages using autotools usually have an install-strip target in their generated Makefile files. So installing stripped executables is just a matter of using make install-strip instead of make install.

  • The packages using the meson build system can accept -Dstrip=true when running meson. If you've forgot to add this option running the meson, you can also run meson install --strip instead of ninja install.

  • cmake generates install/strip targets for both the Unix Makefiles and Ninja generators (the default is Unix Makefiles on linux). So just run make install/strip or ninja install/strip instead of the install counterparts.

  • Removing (or not generating) debug symbols can also be achieved by removing the -g<something> options in C/C++ calls. How to do that is very specific for each package. And, it does not remove unneeded symbol table entries. So it will not be explained in detail here. See also below the paragraphs about optimization.

Stripping Installed Executables

The strip utility changes files in place, which may break anything using it if it is loaded in memory. Note that if a file is in use but just removed from the disk (i.e. not overwritten nor modified), this is not a problem since the kernel can use deleted files. Look at /proc/*/maps and it is likely that you'll see some (deleted) entries. The mv just removes the destination file from the directory but does not touch its content, so that it satisfies the condition for the kernel to use the old (deleted) file. But this approach can detach hard links into duplicated copies, causing a bloat which is obviously unwanted as we are stripping to reduce system size. If two files in a same file system share the same inode number, they are hard links to each other and we should reconstruct the link. The script below is just an example. It should be run as the root user:

cat > /usr/sbin/ << "EOF"

if [ $EUID -ne 0 ]; then
  echo "Need to be root"
  exit 1


{ find /usr/lib -type f -name '*.so*' ! -name '*dbg'
  find /usr/lib -type f -name '*.a'
  find /usr/{bin,sbin,libexec} -type f
} | xargs stat -c '%m %i %n' | sort | while read fs inode file; do
       if ! readelf -h $file >/dev/null 2>&1; then continue; fi
       if file $file | grep --quiet --invert-match 'not stripped'; then continue; fi

       if [ "$fs $inode" = "$last_fs_inode" ]; then
         ln -f $last_file $file;

       cp --preserve $file    ${file}.tmp
       strip --strip-unneeded ${file}.tmp
       mv ${file}.tmp $file

       last_fs_inode="$fs $inode"
chmod 744 /usr/sbin/

If you install programs in other directories such as /opt or /usr/local, you may want to strip the files there too. Just add other directories to scan in the compound list of find commands between the braces.

For more information on stripping, see

Working with different build systems

There are now three different build systems in common use for converting C or C++ source code into compiled programs or libraries and their details (particularly, finding out about available options and their default values) differ. It may be easiest to understand the issues caused by some choices (typically slow execution or unexpected use of, or omission of, optimizations) by starting with the CFLAGS, CXXFLAGS, and LDFLAGS environment variables. There are also some programs which use Rust.

Most LFS and BLFS builders are probably aware of the basics of CFLAGS and CXXFLAGS for altering how a program is compiled. Typically, some form of optimization is used by upstream developers (-O2 or -O3), sometimes with the creation of debug symbols (-g), as defaults.

If there are contradictory flags (e.g. multiple different -O values), the last value will be used. Sometimes this means that flags specified in environment variables will be picked up before values hardcoded in the Makefile, and therefore ignored. For example, where a user specifies -O2 and that is followed by -O3 the build will use -O3.

There are various other things which can be passed in CFLAGS or CXXFLAGS, such as allowing using the instruction set extensions available with a specific microarchitecture (e.g. -march=amdfam10 or -march=native), tune the generated code for a specific microarchitecture (e. g. -mtune=tigerlake or -mtune=native, if -mtune= is not used, the microarchitecture from -march= setting will be used), or specifying a specific standard for C or C++ (-std=c++17 for example). But one thing which has now come to light is that programmers might include debug assertions in their code, expecting them to be disabled in releases by using -DNDEBUG. Specifically, if Mesa-24.0.1 is built with these assertions enabled, some activities such as loading levels of games can take extremely long times, even on high-class video cards.

Autotools with Make

This combination is often described as CMMI (configure, make, make install) and is used here to also cover the few packages which have a configure script that is not generated by autotools.

Sometimes running ./configure --help will produce useful options about switches which might be used. At other times, after looking at the output from configure you may need to look at the details of the script to find out what it was actually searching for.

Many configure scripts will pick up any CFLAGS or CXXFLAGS from the environment, but CMMI packages vary about how these will be mixed with any flags which would otherwise be used (variously: ignored, used to replace the programmer's suggestion, used before the programmer's suggestion, or used after the programmer's suggestion).

In most CMMI packages, running make will list each command and run it, interspersed with any warnings. But some packages try to be silent and only show which file they are compiling or linking instead of showing the command line. If you need to inspect the command, either because of an error, or just to see what options and flags are being used, adding V=1 to the make invocation may help.


CMake works in a very different way, and it has two backends which can be used on BLFS: make and ninja. The default backend is make, but ninja can be faster on large packages with multiple processors. To use ninja, specify -G Ninja in the cmake command. However, there are some packages which create fatal errors in their ninja files but build successfully using the default of Unix Makefiles.

The hardest part of using CMake is knowing what options you might wish to specify. The only way to get a list of what the package knows about is to run cmake -LAH and look at the output for that default configuration.

Perhaps the most-important thing about CMake is that it has a variety of CMAKE_BUILD_TYPE values, and these affect the flags. The default is that this is not set and no flags are generated. Any CFLAGS or CXXFLAGS in the environment will be used. If the programmer has coded any debug assertions, those will be enabled unless -DNDEBUG is used. The following CMAKE_BUILD_TYPE values will generate the flags shown, and these will come after any flags in the environment and therefore take precedence.

Value Flags
Debug -g
Release -O3 -DNDEBUG
RelWithDebInfo -O2 -g -DNDEBUG
MinSizeRel -Os -DNDEBUG

CMake tries to produce quiet builds. To see the details of the commands which are being run, use make VERBOSE=1 or ninja -v.

By default, CMake treats file installation differently from the other build systems: if a file already exists and is not newer than a file that would overwrite it, then the file is not installed. This may be a problem if a user wants to record which file belongs to a package, either using LD_PRELOAD, or by listing files newer than a timestamp. The default can be changed by setting the variable CMAKE_INSTALL_ALWAYS to 1 in the environment, for example by export'ing it.


Meson has some similarities to CMake, but many differences. To get details of the defines that you may wish to change you can look at meson_options.txt which is usually in the top-level directory.

If you have already configured the package by running meson and now wish to change one or more settings, you can either remove the build directory, recreate it, and use the altered options, or within the build directory run meson configure, e.g. to set an option:

meson configure -D<some_option>=true

If you do that, the file meson-private/cmd_line.txt will show the last commands which were used.

Meson provides the following buildtype values, and the flags they enable come after any flags supplied in the environment and therefore take precedence.

  • plain : no added flags. This is for distributors to supply their own CFLAGS, CXXFLAGS and LDFLAGS. There is no obvious reason to use this in BLFS.

  • debug : -g - this is the default if nothing is specified in either or the command line. However it results large and slow binaries, so we should override it in BLFS.

  • debugoptimized : -O2 -g - this is the default specified in of some packages.

  • release : -O3 (occasionally a package will force -O2 here) - this is the buildtype we use for most packages with Meson build system in BLFS.

The -DNDEBUG flag is implied by the release buildtype for some packages (for example Mesa-24.0.1). It can also be provided explicitly by passing -Db_ndebug=true.

To see the details of the commands which are being run in a package using meson, use ninja -v.

Rustc and Cargo

Most released rustc programs are provided as crates (source tarballs) which will query a server to check current versions of dependencies and then download them as necessary. These packages are built using cargo --release. In theory, you can manipulate the RUSTFLAGS to change the optimize-level (default for --release is 3, i. e. -Copt-level=3, like -O3) or to force it to build for the machine it is being compiled on, using -Ctarget-cpu=native but in practice this seems to make no significant difference.

If you are compiling a standalone Rust program (as an unpackaged .rs file) by running rustc directly, you should specify -O (the abbreviation of -Copt-level=2) or -Copt-level=3 otherwise it will do an unoptimized compile and run much slower. If are compiling the program for debugging it, replace the -O or -Copt-level= options with -g to produce an unoptimized program with debug info.

Like ninja, by default cargo uses all logical cores. This can often be worked around, either by exporting CARGO_BUILD_JOBS=<N> or passing --jobs <N> to cargo. For compiling rustc itself, specifying --jobs <N> for invocations of (together with the CARGO_BUILD_JOBS environment variable, which looks like a belt and braces approach but seems to be necessary) mostly works. The exception is running the tests when building rustc, some of them will nevertheless use all online CPUs, at least as of rustc-1.42.0.

Optimizing the build

Many people will prefer to optimize compiles as they see fit, by providing CFLAGS or CXXFLAGS. For an introduction to the options available with gcc and g++ see The same content can be also found in info gcc.

Some packages default to -O2 -g, others to -O3 -g, and if CFLAGS or CXXFLAGS are supplied they might be added to the package's defaults, replace the package's defaults, or even be ignored. There are details on some desktop packages which were mostly current in April 2019 at - in particular, README.txt, tuning-1-packages-and-notes.txt, and tuning-notes-2B.txt. The particular thing to remember is that if you want to try some of the more interesting flags you may need to force verbose builds to confirm what is being used.

Clearly, if you are optimizing your own program you can spend time to profile it and perhaps recode some of it if it is too slow. But for building a whole system that approach is impractical. In general, -O3 usually produces faster programs than -O2. Specifying -march=native is also beneficial, but means that you cannot move the binaries to an incompatible machine - this can also apply to newer machines, not just to older machines. For example programs compiled for amdfam10 run on old Phenoms, Kaveris, and Ryzens : but programs compiled for a Kaveri will not run on a Ryzen because certain op-codes are not present. Similarly, if you build for a Haswell not everything will run on a SandyBridge.


Be careful that the name of a -march setting does not always match the baseline of the microarchitecture with the same name. For example, the Skylake-based Intel Celeron processors do not support AVX at all, but -march=skylake assumes AVX and even AVX2.

When a shared library is built by GCC, a feature named semantic interposition is enabled by default. When the shared library refers to a symbol name with external linkage and default visibility, if the symbol exists in both the shared library and the main executable, semantic interposition guarantees the symbol in the main executable is always used. This feature was invented in an attempt to make the behavior of linking a shared library and linking a static library as similar as possible. Today only a small number of packages still depend on semantic interposition, but the feature is still on by the default of GCC, causing many optimizations disabled for shared libraries because they conflict with semantic interposition. The -fno-semantic-interposition option can be passed to gcc or g++ to disable semantic interposition and enable more optimizations for shared libraries. This option is used as the default of some packages (for example Python-3.12.2), and it's also the default of Clang.

There are also various other options which some people claim are beneficial. At worst, you get to recompile and test, and then discover that in your usage the options do not provide a benefit.

If building Perl or Python modules, in general the CFLAGS and CXXFLAGS used are those which were used by those parent packages.

For LDFLAGS, there are three options can be used for optimization. They are quite safe to use and the building system of some packages use some of these options as the default.

With -Wl,-O1, the linker will optimize the hash table to speed up the dynamic linking. Note that -Wl,-O1 is completely unrelated to the compiler optimization flag -O1.

With -Wl,--as-needed, the linker will disregard unnecessary -lfoo options from the command line, i. e. the shared library libfoo will only be linked if a symbol in libfoo is really referred from the executable or shared library being linked. This can sometimes mitigate the excessive dependencies to shared libraries issues caused by libtool.

With -Wl,-z,pack-relative-relocs, the linker generates a more compacted form of the relative relocation entries for PIEs and shared libraries. It reduces the size of the linked PIE or shared library, and speeds up the loading of the PIE or shared library.

The -Wl, prefix is necessary because despite the variable is named LDFLAGS, its content is actually passed to gcc (or g++, clang, etc.) during the link stage, not directly passed to ld.

Options for hardening the build

Even on desktop systems, there are still a lot of exploitable vulnerabilities. For many of these, the attack comes via javascript in a browser. Often, a series of vulnerabilities are used to gain access to data (or sometimes to pwn, i.e. own, the machine and install rootkits). Most commercial distros will apply various hardening measures.

In the past, there was Hardened LFS where gcc (a much older version) was forced to use hardening (with options to turn some of it off on a per-package basis). The current LFS and BLFS books are carrying forward a part of its spirit by enabling PIE (-fPIE -pie) and SSP (-fstack-protector-strong) as the defaults for GCC and clang. What is being covered here is different - first you have to make sure that the package is indeed using your added flags and not over-riding them.

For hardening options which are reasonably cheap, there is some discussion in the 'tuning' link above (occasionally, one or more of these options might be inappropriate for a package). These options are -D_FORTIFY_SOURCE=2 (or -D_FORTIFY_SOURCE=3 which is more secure but with a larger performance overhead) and (for C++) -D_GLIBCXX_ASSERTIONS. On modern machines these should only have a little impact on how fast things run, and often they will not be noticeable.

The main distros use much more, such as RELRO (Relocation Read Only) and perhaps -fstack-clash-protection. You may also encounter the so-called userspace retpoline (-mindirect-branch=thunk etc.) which is the equivalent of the spectre mitigations applied to the linux kernel in late 2018. The kernel mitigations caused a lot of complaints about lost performance, if you have a production server you might wish to consider testing that, along with the other available options, to see if performance is still sufficient.

Whilst gcc has many hardening options, clang/LLVM's strengths lie elsewhere. Some options which gcc provides are said to be less effective in clang/LLVM.

The /usr Versus /usr/local Debate

Should I install XXX in /usr or /usr/local?

This is a question without an obvious answer for an LFS based system.

In traditional Unix systems, /usr usually contains files that come with the system distribution, and the /usr/local tree is free for the local administrator to manage. The only really hard and fast rule is that Unix distributions should not touch /usr/local, except perhaps to create the basic directories within it.

With Linux distributions like Red Hat, Debian, etc., a possible rule is that /usr is managed by the distribution's package system and /usr/local is not. This way the package manager's database knows about every file within /usr.

LFS users build their own system and so deciding where the system ends and local files begin is not straightforward. So the choice should be made in order to make things easier to administer. There are several reasons for dividing files between /usr and /usr/local.

  • On a network of several machines all running LFS, or mixed LFS and other Linux distributions, /usr/local could be used to hold packages that are common between all the computers in the network. It can be NFS mounted or mirrored from a single server. Here local indicates local to the site.

  • On a network of several computers all running an identical LFS system, /usr/local could hold packages that are different between the machines. In this case local refers to the individual computers.

  • Even on a single computer, /usr/local can be useful if you have several distributions installed simultaneously, and want a place to put packages that will be the same on all of them.

  • Or you might regularly rebuild your LFS, but want a place to put files that you don't want to rebuild each time. This way you can wipe the LFS file system and start from a clean partition every time without losing everything.

Some people ask why not use your own directory tree, e.g., /usr/site, rather than /usr/local?

There is nothing stopping you, many sites do make their own trees, however it makes installing new software more difficult. Automatic installers often look for dependencies in /usr and /usr/local, and if the file it is looking for is in /usr/site instead, the installer will probably fail unless you specifically tell it where to look.

What is the BLFS position on this?

All of the BLFS instructions install programs in /usr with optional instructions to install into /opt for some specific packages.

Optional Patches

As you follow the various sections in the book, you will observe that the book occasionally includes patches that are required for a successful and secure installation of the packages. The general policy of the book is to include patches that fall in one of the following criteria:

  • Fixes a compilation problem.

  • Fixes a security problem.

  • Fixes a broken functionality.

In short, the book only includes patches that are either required or recommended. There is a Patches subproject which hosts various patches (including the patches referenced in the books) to enable you to configure your LFS the way you like it.

BLFS Systemd Units

The BLFS Systemd Units package contains the systemd unit files that are used throughout the book.

The BLFS Systemd Units package will be used throughout the BLFS book for systemd unit files. Each systemd unit has a separate install target. It is recommended that you keep the package source directory around until completion of your BLFS system. When a systemd unit is requested from BLFS Systemd Units, simply change to the directory, and as the root user, execute the given make install-<systemd-unit> command. This command installs the systemd unit to its proper location (along with any auxiliary configuration scripts) and also enables it by default.


It is advisable to peruse each systemd unit before installation to determine whether the installed files meet your needs.

About Libtool Archive (.la) files

Files with a .la extension

In LFS and BLFS, many packages use a internally shipped libtool copy to build on a variety of Unix platforms. This includes platforms such as AIX, Solaris, IRIX, HP-UX, and Cygwin as well as Linux. The origins of this tool are quite dated. It was intended to manage libraries on systems with less advanced capabilities than a modern Linux system.

On a Linux system, libtool specific files are generally unneeded. Normally libraries are specified in the build process during the link phase. Since a linux system uses the Executable and Linkable Format (ELF) for executables and dynamic libraries, information needed to complete the task is embedded in the files. Both the linker and the program loader can query the appropriate files and properly link or execute the program.

Static libraries are rarely used in LFS and BLFS. And, nowadays most packages store the information needed for linking against a static library into a .pc file, instead of relying on libtool. A pkg-config --static --libs command will output the sufficient flags for the linker to link against a static library without any libtool magic.

The problem is that libtool usually creates one or more text files for package libraries called libtool archives. These small files have a ".la" extension and contain information that is similar to that embedded in the libraries or pkg-config files. When building a package that uses libtool, the process automatically looks for these files. Sometimes a .la file can contains the name or path of a static library used during build but not installed, then the build process will break because the .la file refers to something nonexistent on the system. Similarly, if a package is updated and no longer uses the .la file, then the build process can break with the old .la files.

The solution is to remove the .la files. However there is a catch. Some packages, such as ImageMagick-7.1.1-28, use a libtool function, lt_dlopen, to load libraries as needed during execution and resolve their dependencies at run time. In this case, the .la files should remain.

The script below, removes all unneeded .la files and saves them in a directory, /var/local/la-files by default, not in the normal library path. It also searches all pkg-config files (.pc) for embedded references to .la files and fixes them to be conventional library references needed when an application or library is built. It can be run as needed to clean up the directories that may be causing problems.

cat > /usr/sbin/ << "EOF"

# /usr/sbin/
# Written for Beyond Linux From Scratch
# by Bruce Dubbs <>

# Make sure we are running with root privs
if test "${EUID}" -ne 0; then
    echo "Error: $(basename ${0}) must be run as the root user! Exiting..."
    exit 1

# Make sure PKG_CONFIG_PATH is set if discarded by sudo
source /etc/profile


mkdir -p $OLD_LA_DIR

# Only search directories in /opt, but not symlinks to directories
OPTDIRS=$(find /opt -mindepth 1 -maxdepth 1 -type d)

# Move any found .la files to a directory out of the way
find /usr/lib $OPTDIRS -name "*.la" ! -path "/usr/lib/ImageMagick*" \
  -exec mv -fv {} $OLD_LA_DIR \;

# Fix any .pc files that may have .la references


# For each directory that can have .pc files
for d in $(echo $PKG_CONFIG_PATH | tr : ' ') $STD_PC_PATH; do

  # For each pc file
  for pc in $d/*.pc ; do
    if [ $pc == "$d/*.pc" ]; then continue; fi

    # Check each word in a line with a .la reference
    for word in $(grep '\.la' $pc); do
      if $(echo $word | grep -q '.la$' ); then
        mkdir -p $d/la-backup
        cp -fv  $pc $d/la-backup

        basename=$(basename $word )
        libref=$(echo $basename|sed -e 's/^lib/-l/' -e 's/\.la$//')

        # Fix the .pc file
        sed -i "s:$word:$libref:" $pc


chmod +x /usr/sbin/

Libraries: Static or shared?

Libraries: Static or shared?

The original libraries were simply an archive of routines from which the required routines were extracted and linked into the executable program. These are described as static libraries, with names of the form libfoo.a on UNIX-like operating systems. On some old operating systems they are the only type available.

On almost all Linux platforms there are also shared (or equivalently dynamic) libraries (with names of the form – one copy of the library is loaded into virtual memory, and shared by all the programs which call any of its functions. This is space efficient.

In the past, essential programs such as a shell were often linked statically so that some form of minimal recovery system would exist even if shared libraries, such as, became damaged (e.g. moved to lost+found after fsck following an unclean shutdown). Nowadays, most people use an alternative system install or a USB stick if they have to recover. Journaling filesystems also reduce the likelihood of this sort of problem.

Within the book, there are various places where configure switches such as --disable-static are employed, and other places where the possibility of using system versions of libraries instead of the versions included within another package is discussed. The main reason for this is to simplify updates of libraries.

If a package is linked to a dynamic library, updating to a newer library version is automatic once the newer library is installed and the program is (re)started (provided the library major version is unchanged, e.g. going from to Going to will require recompilation – ldd can be used to find which programs use the old version). If a program is linked to a static library, the program always has to be recompiled. If you know which programs are linked to a particular static library, this is merely an annoyance. But usually you will not know which programs to recompile.

One way to identify when a static library is used, is to deal with it at the end of the installation of every package. Write a script to find all the static libraries in /usr/lib or wherever you are installing to, and either move them to another directory so that they are no longer found by the linker, or rename them so that libfoo.a becomes e.g. libfoo.a.hidden. The static library can then be temporarily restored if it is ever needed, and the package needing it can be identified. This shouldn't be done blindly since many libraries only exist in a static version. For example, some libraries from the glibc and gcc packages should always be present on the system (libc_nonshared.a, libg.a, libpthread_nonshared.a, libssp_nonshared.a, libsupc++.a as of glibc-2.36 and gcc-12.2).

If you use this approach, you may discover that more packages than you were expecting use a static library. That was the case with nettle-2.4 in its default static-only configuration: It was required by GnuTLS-3.0.19, but also linked into package(s) which used GnuTLS, such as glib-networking-2.32.3.

Many packages put some of their common functions into a static library which is only used by the programs within the package and, crucially, the library is not installed as a standalone library. These internal libraries are not a problem – if the package has to be rebuilt to fix a bug or vulnerability, nothing else is linked to them.

When BLFS mentions system libraries, it means shared versions of libraries. Some packages such as Firefox-115.8.0 and ghostscript-10.02.1 bundle many other libraries in their build tree. The version they ship is often older than the version used in the system, so it may contain bugs – sometimes developers go to the trouble of fixing bugs in their included libraries, other times they do not.

Sometimes, deciding to use system libraries is an easy decision. Other times it may require you to alter the system version (e.g. for libpng-1.6.42 if used for Firefox-115.8.0). Occasionally, a package ships an old library and can no longer link to the current version, but can link to an older version. In this case, BLFS will usually just use the shipped version. Sometimes the included library is no longer developed separately, or its upstream is now the same as the package's upstream and you have no other packages which will use it. In those cases, you'll be lead to use the included library even if you usually prefer to use system libraries.

Locale Related Issues

This page contains information about locale related problems and issues. In the following paragraphs you'll find a generic overview of things that can come up when configuring your system for various locales. Many (but not all) existing locale related problems can be classified and fall under one of the headings below. The severity ratings below use the following criteria:

  • Critical: The program doesn't perform its main function. The fix would be very intrusive, it's better to search for a replacement.

  • High: Part of the functionality that the program provides is not usable. If that functionality is required, it's better to search for a replacement.

  • Low: The program works in all typical use cases, but lacks some functionality normally provided by its equivalents.

If there is a known workaround for a specific package, it will appear on that package's page.

The Needed Encoding is Not a Valid Option in the Program

Severity: Critical

Some programs require the user to specify the character encoding for their input or output data and present only a limited choice of encodings. This is the case for the -X option in Enscript-1.6.6, the -input-charset option in unpatched Cdrtools-3.02a09, and the character sets offered for display in the menu of Links-2.29. If the required encoding is not in the list, the program usually becomes completely unusable. For non-interactive programs, it may be possible to work around this by converting the document to a supported input character set before submitting to the program.

A solution to this type of problem is to implement the necessary support for the missing encoding as a patch to the original program or to find a replacement.

The Program Assumes the Locale-Based Encoding of External Documents

Severity: High for non-text documents, low for text documents

Some programs, nano-7.2 or JOE-4.6 for example, assume that documents are always in the encoding implied by the current locale. While this assumption may be valid for the user-created documents, it is not safe for external ones. When this assumption fails, non-ASCII characters are displayed incorrectly, and the document may become unreadable.

If the external document is entirely text based, it can be converted to the current locale encoding using the iconv program.

For documents that are not text-based, this is not possible. In fact, the assumption made in the program may be completely invalid for documents where the Microsoft Windows operating system has set de facto standards. An example of this problem is ID3v1 tags in MP3 files. For these cases, the only solution is to find a replacement program that doesn't have the issue (e.g., one that will allow you to specify the assumed document encoding).

Among BLFS packages, this problem applies to nano-7.2, JOE-4.6, and all media players except Audacious-4.3.1.

Another problem in this category is when someone cannot read the documents you've sent them because their operating system is set up to handle character encodings differently. This can happen often when the other person is using Microsoft Windows, which only provides one character encoding for a given country. For example, this causes problems with UTF-8 encoded TeX documents created in Linux. On Windows, most applications will assume that these documents have been created using the default Windows 8-bit encoding.

In extreme cases, Windows encoding compatibility issues may be solved only by running Windows programs under Wine.

The Program Uses or Creates Filenames in the Wrong Encoding

Severity: Critical

The POSIX standard mandates that the filename encoding is the encoding implied by the current LC_CTYPE locale category. This information is well-hidden on the page which specifies the behavior of Tar and Cpio programs. Some programs get it wrong by default (or simply don't have enough information to get it right). The result is that they create filenames which are not subsequently shown correctly by ls, or they refuse to accept filenames that ls shows properly. For the GLib-2.78.4 library, the problem can be corrected by setting the G_FILENAME_ENCODING environment variable to the special "@locale" value. Glib2 based programs that don't respect that environment variable are buggy.

The Zip-3.0 and UnZip-6.0 have this problem because they hard-code the expected filename encoding. UnZip contains a hard-coded conversion table between the CP850 (DOS) and ISO-8859-1 (UNIX) encodings and uses this table when extracting archives created under DOS or Microsoft Windows. However, this assumption only works for those in the US and not for anyone using a UTF-8 locale. Non-ASCII characters will be mangled in the extracted filenames.

The general rule for avoiding this class of problems is to avoid installing broken programs. If this is impossible, the convmv command-line tool can be used to fix filenames created by these broken programs, or intentionally mangle the existing filenames to meet the broken expectations of such programs.

In other cases, a similar problem is caused by importing filenames from a system using a different locale with a tool that is not locale-aware (e.g., OpenSSH-9.6p1). In order to avoid mangling non-ASCII characters when transferring files to a system with a different locale, any of the following methods can be used:

  • Transfer anyway, fix the damage with convmv.

  • On the sending side, create a tar archive with the --format=posix switch passed to tar (this will be the default in a future version of tar).

  • Mail the files as attachments. Mail clients specify the encoding of attached filenames.

  • Write the files to a removable disk formatted with a FAT or FAT32 filesystem.

  • Transfer the files using Samba.

  • Transfer the files via FTP using RFC2640-aware server (this currently means only wu-ftpd, which has bad security history) and client (e.g., lftp).

The last four methods work because the filenames are automatically converted from the sender's locale to UNICODE and stored or sent in this form. They are then transparently converted from UNICODE to the recipient's locale encoding.

The Program Breaks Multibyte Characters or Doesn't Count Character Cells Correctly

Severity: High or critical

Many programs were written in an older era where multibyte locales were not common. Such programs assume that C "char" data type, which is one byte, can be used to store single characters. Further, they assume that any sequence of characters is a valid string and that every character occupies a single character cell. Such assumptions completely break in UTF-8 locales. The visible manifestation is that the program truncates strings prematurely (i.e., at 80 bytes instead of 80 characters). Terminal-based programs don't place the cursor correctly on the screen, don't react to the "Backspace" key by erasing one character, and leave junk characters around when updating the screen, usually turning the screen into a complete mess.

Fixing this kind of problems is a tedious task from a programmer's point of view, like all other cases of retrofitting new concepts into the old flawed design. In this case, one has to redesign all data structures in order to accommodate to the fact that a complete character may span a variable number of "char"s (or switch to wchar_t and convert as needed). Also, for every call to the "strlen" and similar functions, find out whether a number of bytes, a number of characters, or the width of the string was really meant. Sometimes it is faster to write a program with the same functionality from scratch.

Among BLFS packages, this problem applies to xine-ui-0.99.14 and all the shells.

The Package Installs Manual Pages in Incorrect or Non-Displayable Encoding

Severity: Low

LFS expects that manual pages are in the language-specific (usually 8-bit) encoding, as specified on the LFS Man DB page. However, some packages install translated manual pages in UTF-8 encoding (e.g., Shadow, already dealt with), or manual pages in languages not in the table. Not all BLFS packages have been audited for conformance with the requirements put in LFS (the large majority have been checked, and fixes placed in the book for packages known to install non-conforming manual pages). If you find a manual page installed by any of BLFS packages that is obviously in the wrong encoding, please remove or convert it as needed, and report this to BLFS team as a bug.

You can easily check your system for any non-conforming manual pages by copying the following short shell script to some accessible location,

# Begin
# Usage: find /usr/share/man -type f | xargs
for a in "$@"
    # echo "Checking $a..."
    # Pure-ASCII manual page (possibly except comments) is OK
    grep -v '.\\"' "$a" | iconv -f US-ASCII -t US-ASCII >/dev/null 2>&1 \
        && continue
    # Non-UTF-8 manual page is OK
    iconv -f UTF-8 -t UTF-8 "$a" >/dev/null 2>&1 || continue
    # Found a UTF-8 manual page, bad.
    echo "UTF-8 manual page: $a" >&2
# End

and then issuing the following command (modify the command below if the script is not in your PATH environment variable):

find /usr/share/man -type f | xargs

Note that if you have manual pages installed in any location other than /usr/share/man (e.g., /usr/local/share/man), you must modify the above command to include this additional location.

Going Beyond BLFS

The packages that are installed in this book are only the tip of the iceberg. We hope that the experience you gained with the LFS book and the BLFS book will give you the background needed to compile, install and configure packages that are not included in this book.

When you want to install a package to a location other than /, or /usr, you are installing outside the default environment settings on most machines. The following examples should assist you in determining how to correct this situation. The examples cover the complete range of settings that may need updating, but they are not all needed in every situation.

  • Expand the PATH to include $PREFIX/bin.

  • Expand the PATH for root to include $PREFIX/sbin.

  • Add $PREFIX/lib to /etc/ or expand LD_LIBRARY_PATH to include it. Before using the latter option, check out If you modify /etc/, remember to update /etc/ by executing ldconfig as the root user.

  • Add $PREFIX/man to /etc/man_db.conf or expand MANPATH.

  • Add $PREFIX/info to INFOPATH.

  • Add $PREFIX/lib/pkgconfig to PKG_CONFIG_PATH. Some packages are now installing .pc files in $PREFIX/share/pkgconfig, so you may have to include this directory also.

  • Add $PREFIX/include to CPPFLAGS when compiling packages that depend on the package you installed.

  • Add $PREFIX/lib to LDFLAGS when compiling packages that depend on a library installed by the package.

If you are in search of a package that is not in the book, the following are different ways you can search for the desired package.

Some general hints on handling new packages:

  • Many of the newer packages follow the ./configure && make && make install process. Help on the options accepted by configure can be obtained via the command ./configure --help.

  • Most of the packages contain documentation on compiling and installing the package. Some of the documents are excellent, some not so excellent. Check out the homepage of the package for any additional and updated hints for compiling and configuring the package.

  • If you are having a problem compiling the package, try searching the LFS archives at for the error or if that fails, try searching Google. Often, a distribution will have already solved the problem (many of them use development versions of packages, so they see the changes sooner than those of us who normally use stable released versions). But be cautious - all builders tend to carry patches which are no longer necessary, and to have fixes which are only required because of their particular choices in how they build a package. You may have to search deeply to find a fix for the package version you are trying to use, or even to find the package (names are sometimes not what you might expect, e.g. ghostscript often has a prefix or a suffix in its name), but the following notes might help, particularly for those who, like the editors, are trying to build the latest versions and encountering problems:

    • Arch - enter the package name in the 'Keywords' box, select the package name, select the 'Source Files' field, and then select the PKGBUILD entry to see how they build this package.

    • Debian (use your country's version if there is one) - the source will be in .tar.gz tarballs (either the original upstream .orig source, or else a dfsg containing those parts which comply with Debian's free software guidelines) accompanied by versioned .diff.gz or .tar.gz additions. These additions often show how the package is built, and may contain patches. In the .diff.gz versions, any patches create files in debian/patches.

    • Fedora package source gets reorganized from time to time. At the moment the package source for rpms is at and from there you can try putting a package name in the search box. If the package is found you can look at the files (specfile to control the build, various patches) or the commits. If that fails, you can download an srpm (source rpm) and using rpm2cpio (see the Tip at the bottom of the page). For rpms go to and then choose which repo you wish to look at - development/rawhide is the latest development, or choose releases for what was shipped in a release, updates for updates to a release, or updates/testing for the latest updates which might work or might have problems.

    • Gentoo - First use a search engine to find an ebuild which looks as if it will fix the problem, or search at - use the search field. Note where the package lives in the portage hierarchy, e.g. app-something/. In general you can treat the ebuild as a sort of pseudo-code / shell combination with some functions you can hazard a guess at, such as dodoc. If the fix is just a sed, try it. However, in most cases the fix will use a patch. To find the patch, use a gentoo-portage mirror: Two links to mirrors in the U.S.A. which seem to usually be up to date are and Navigate down the tree to the package, then to the files/ directory to look for the patch. Sometimes a portage mirror has not yet been updated, particularly for a recent new patch. In a few cases, gentoo batch the patches into a tarball and the ebuild will have a link in the form${PATCH_DEV}/distfiles/${P}-patches-${PATCH_VER}.tar.xz : here, look for PATCH_DEV and PATCH_VER in the build and format the full URL in your browser or for wget : remember the '~' before the developer's ID and note that trying to search the earlier levels of the URL in a browser may drop you at or return 403 (forbidden).

    • openSUSE provide a rolling release, some package versions are in but others are in ../update/openSUSE-current/src - the source only seems to be available in source rpms.

    • Slackware - the official package browser is currently broken. The site at has current and previous versions in their unofficial repository with links to homepages, downloads, and some individual files, particularly the .SlackBuild files.

    • Ubuntu - see the Debian notes above.

    If everything else fails, try the blfs-support mailing-list.


If you have found a package that is only available in .deb or .rpm format, there are two small scripts, rpm2targz and deb2targz that are available at and to convert the archives into a simple tar.gz format.

You may also find an rpm2cpio script useful. The Perl version in the linux kernel archives at works for most source rpms. The rpm2targz script will use an rpm2cpio script or binary if one is on your path. Note that rpm2cpio will unpack a source rpm in the current directory, giving a tarball, a spec file, and perhaps patches or other files.

Part II. Post LFS Configuration and Extra Software

Chapter 3. After LFS Configuration Issues

The intention of LFS is to provide a basic system which you can build upon. There are several things about tidying up the system which many people wonder about once they have done the base install. We hope to cover these issues in this chapter.

Most people coming from non-Unix like backgrounds to Linux find the concept of text-only configuration files slightly strange. In Linux, just about all configuration is done via the manipulation of text files. The majority of these files can be found in the /etc hierarchy. There are often graphical configuration programs available for different subsystems but most are simply pretty front ends to the process of editing a text file. The advantage of text-only configuration is that you can edit parameters using your favorite text editor, whether that be vim, emacs, or any other editor.

The first task is making a recovery boot device in Creating a Custom Boot Device because it's the most critical need. Hardware issues relevant to firmware and other devices is addressed next. The system is then configured to ease addition of new users, because this can affect the choices you make in the two subsequent topics—The Bash Shell Startup Files and The vimrc Files.

There is one remaining topic: Customizing your Logon with /etc/issue. It doesn't have much interaction with the other topics in this chapter.

Creating a Custom Boot Device

Decent Rescue Boot Device Needs

This section is really about creating a rescue device. As the name rescue implies, the host system has a problem, often lost partition information or corrupted file systems, that prevents it from booting and/or operating normally. For this reason, you must not depend on resources from the host being "rescued". To presume that any given partition or hard drive will be available is a risky presumption.

In a modern system, there are many devices that can be used as a rescue device: floppy, cdrom, usb drive, or even a network card. Which one you use depends on your hardware and your BIOS. In the past, a rescue device was thought to be a floppy disk. Today, many systems do not even have a floppy drive.

Building a complete rescue device is a challenging task. In many ways, it is equivalent to building an entire LFS system. In addition, it would be a repetition of information already available. For these reasons, the procedures for a rescue device image are not presented here.

Creating a Rescue Floppy

The software of today's systems has grown large. Linux 2.6 no longer supports booting directly from a floppy. In spite of this, there are solutions available using older versions of Linux. One of the best is Tom's Root/Boot Disk available at This will provide a minimal Linux system on a single floppy disk and provides the ability to customize the contents of your disk if necessary.

Creating a Bootable CD-ROM

There are several sources that can be used for a rescue CD-ROM. Just about any commercial distribution's installation CD-ROMs or DVDs will work. These include RedHat, Ubuntu, and SuSE. One very popular option is Knoppix.

Also, the LFS Community has developed its own LiveCD available at This LiveCD, is no longer capable of building an entire LFS/BLFS system, but is still a good rescue CD-ROM. If you download the ISO image, use xorriso to copy the image to a CD-ROM.

The instructions for using GRUB2 to make a custom rescue CD-ROM are also available in LFS Chapter 10.

Creating a Bootable USB Drive

A USB Pen drive, sometimes called a Thumb drive, is recognized by Linux as a SCSI device. Using one of these devices as a rescue device has the advantage that it is usually large enough to hold more than a minimal boot image. You can save critical data to the drive as well as use it to diagnose and recover a damaged system. Booting such a drive requires BIOS support, but building the system consists of formatting the drive, adding GRUB as well as the Linux kernel and supporting files.

About Console Fonts

An LFS system can be used without a graphical desktop, and unless or until you install a graphical environment you will have to work in the console. Most, if not all, PCs boot with an 8x16 font - whatever the actual screen size. There are a few things you can do to alter the display on the console. Most of them involve changing the font, but the first alters the commandline used by grub.

Setting a smaller screen size in grub

Modern screens often have a lot more pixels then the screens used in the past. If your screen is 1600 pixels wide, an 8x16 font will give you 200 columns of text - unless your monitor is enormous, the text will be tiny. One of the ways to work around this is to tell grub to use a smaller size, such as 1024x768 or 800x600 or even 640x480. Even if your screen does not have a 4:3 aspect ratio, this should work.

To try this, you can reboot and edit grub's command-line to insert a 'video=' parameter between the 'root=/dev/sdXn' and 'ro', for example root=/dev/sda2 video=1024x768 ro based on the example in LFS section 10.4.4 : ../../../../lfs/view/12.1-systemd/chapter10/grub.html.

If you decide that you wish to do this, you can then (as the root user) edit /boot/grub/grub.cfg.

Using the standard psf fonts

In LFS the kbd package is used. The fonts it provides are PC Screen Fonts, usually called PSF, and they were installed into /usr/share/consolefonts. Where these include a unicode mapping table, the file suffix is often changed to .psfu although packages such as terminus-font (see below) do not add the 'u'. These fonts are usually compressed with gzip to save space, but that is not essential.

The initial PC text screens had 8 colours, or 16 colours if the bright versions of the original 8 colours were used. A PSF font can include up to 256 characters (technically, glyphs) while allowing 16 colours, or up to 512 characters (in which case, the bright colours will not be available). Clearly, these console fonts cannot be used to display CJK text - that would need thousands of available glyphs.

Some fonts in kbd can cover more than 512 codepoints ('characters'), with varying degrees of fidelity: unicode contains several whitespace codepoints which can all be mapped to a space, varieties of dashes can be mapped to a minus sign, smart quotes can map to the regular ASCII quotes rather than to whatever is used for "codepoint not present or invalid", and those cyrillic or greek letters which look like latin letters can be mapped onto them, so 'A' can also do duty for cyrillic A and greek Alpha, and 'P' can also do duty for cyrillic ER and greek RHO. Unfortunately, where a font has been created from a BDF file (the method in terminus and Debian's console-setup ) such mapping of additional codepoints onto an existing glyph is not always done, although the terminus ter-vXXn fonts do this well.

There are over 120 combinations of font and size in kbd: often a font is provided at several character sizes, and sometimes varieties cover different subsets of unicode. Most are 8 pixels wide, in heights from 8 to 16 pixels, but there are a few which are 9 pixels wide, some others which are 12x22, and even one (latarcyrheb-sun32.psfu) which has been scaled up to 16x32. Using a bigger font is another way of making text on a large screen easier to read.

Testing different fonts

You can test fonts as a normal user. If you have a font which has not been installed, you can load it with :

setfont /path/to/yourfont.ext

For the fonts already installed you only need the name, so using gr737a-9x16.psfu.gz as an example:

setfont gr737a-9x16

To see the glyphs in the font, use:


If the font looks as if it might be useful, you can then go on to test it more thoroughly.

When you find a font which you wish to use, as the root user) edit /etc/vconsole.conf as described in LFS section 9.6 ../../../../lfs/view/12.1-systemd/chapter09/console.html..

For fonts not supplied with the kbd package you will need to optionally compress it / them with gzip and then install it / them as the root user.

Editing fonts using psf-tools

Although some console fonts are created from BDF files, which is a text format with hex values for the pixels in each row of the character, there are more-modern tools available for editing psf fonts. The psftools package allows you to dump a font to a text representation with a dash for a pixel which is off (black) and a hash for a pixel which is on (white). You can then edit the text file to add more characters, or reshape them, or map extra codepoints onto them, and then create a new psf font with your changes.

Using fonts from Terminus-font

The Terminus Font package provides fixed-width bitmap fonts designed for long (8 hours and more per day) work with computers. Under 'Character variants' on that page is a list of patches (in the alt/ directory). If you are using a graphical browser to look at that page, you can see what the patches do, e.g. 'll2' makes 'l' more visibly different from 'i' and '1'.

By default terminus-fonts will try to create several types of font, and it will fail if bdftopcf from Xorg Applications has not been installed. The configure script is only really useful if you go on to install all the fonts (console and X11 bitmap) to the correct directories, as in a distro. To build only the PSF fonts and their dependencies, run:

make psf

This will create more than 240 ter-*.psf fonts. The 'b' suffix indicates bright, 'n' indicates normal. You can then test them to see if any fit your requirements. Unless you are creating a distro, there seems little point in installing them all.

As an example, to install the last of these fonts, you can gzip it and then as the root user:

install -v -m644 ter-v32n.psf.gz /usr/share/consolefonts

About Firmware

On some recent PCs it can be necessary, or desirable, to load firmware to make them work at their best. There is a directory, /lib/firmware, where the kernel or kernel drivers look for firmware images.

Currently, most firmware can be found at a git repository which can be viewed in the browser with the URL For convenience, the LFS Project has created a mirror, updated daily, where these firmware files can be accessed via wget or a web browser at

To get the firmware, either point a browser to one of the above repositories and then download the item(s) which you need. If you want all these firmware files (for example you are distributing the system onto multiple hardware systems), install git-2.44.0 and clone, or open this URL in a browser and download the latest snapshot listed in the Tag table.

For some other firmware, particularly for Intel microcode and certain wifi devices, the needed firmware is not available in the above repository. Some of this will be addressed below, but a search of the Internet for needed firmware is sometimes necessary.

Firmware files are conventionally referred to as blobs because you cannot determine what they will do. Note that firmware is distributed under various different licenses which do not permit disassembly or reverse-engineering.

Firmware for PCs falls into four categories:

  • Updates to the CPU to work around errata, usually referred to as microcode.

  • Firmware for video controllers. On x86 machines this is required for ATI devices (Radeon and AMDGPU chips) and may be useful for Intel (Skylake and later) and Nvidia (Kepler and later) GPUs.

    ATI Radeon and AMDGPU devices all require firmware to be able to use KMS (kernel modesetting - the preferred option) as well as for Xorg. For old radeon chips (before the R600), the firmware is still in the kernel source.

    Intel integrated GPUs from Skylake onwards can use firmware for GuC (the Graphics microcontroller), and also for the HuC (HEVC/H265 microcontroller which offloads to the GPU) and the DMC (Display Microcontroller) to provide additional low-power states. The GuC and HuC have had a chequered history in the kernel and updated firmware may be disabled by default, depending on your kernel version. Further details may be found at and Arch linux.

    Nvidia GPUs from Kepler onwards require signed firmware, otherwise the nouveau driver is unable to provide hardware acceleration. Nvidia has now released firmware up to Ampere (GeForce30 series) to linux-firmware. Note that faster clocks than the default are not enabled by the released firmware.

  • Firmware updates for wired network ports. Most of them work even without the updates, but they will probably work better with the updated firmware. For some modern laptops, firmware for both wired ethernet (e.g. rtl_nic) and also for bluetooth devices (e.g. qca) is required before the wired network can be used.

  • Firmware for other devices, such as wireless NICs. These devices are not required for the PC to boot, but need the firmware before these devices can be used.


Although not needed to load a firmware blob, the following tools may be useful for determining, obtaining, or preparing the needed firmware in order to load it into the system: cpio-2.15, git-2.44.0, pciutils-3.10.0, and Wget-1.21.4

Microcode updates for CPUs

In general, microcode can be loaded by the BIOS or UEFI, and it might be updated by upgrading to a newer version of those. On linux, you can also load the microcode from the kernel if you are using an AMD family 10h or later processor (first introduced late 2007), or an Intel processor from 1998 and later (Pentium4, Core, etc), if updated microcode has been released. These updates only last until the machine is powered off, so they need to be applied on every boot.

Intel provide updates of their microcode for Skylake and later processors as new vulnerabilities come to light, and have in the past provided updates for processors from SandyBridge onwards, although those are no-longer supported for new fixes. New versions of AMD firmware are rare and usually only apply to a few models, although motherboard manufacturers get AGESA (AMD Generic Encapsulated Software Architecture) updates to change BIOS values, e.g. to support more memory variants, new vulnerability fixes or newer CPUs.

There were two ways of loading the microcode, described as 'early' and 'late'. Early loading happens before userspace has been started, late loading happens after userspace has started. However, late loading is known to be problematic and not supported anymore (see the kernel commit x86/microcode: Taint and warn on late loading.) Indeed, early loading is needed to work around one particular erratum in early Intel Haswell processors which had TSX enabled. (See Intel Disables TSX Instructions: Erratum Found in Haswell, Haswell-E/EP, Broadwell-Y.) Without this update glibc can do the wrong thing in uncommon situations.

In previous versions of this book, late loading of microcode to see if it gets applied was recommended, followed by using an initrd to force early loading. But now that the contents of the Intel microcode tarball is documented, and AMD microcode can be read by a Python script to determine which machines it covers, there is no real reason to use late loading.

It might be still possible to manually force late loading of microcode. But it may cause kernel malfunction and you should take the risk yourself. You will need to reconfigure your kernel for late loading, but early loading is always supported by Linux kernel version 6.6 or later on a x86 (no matter 32-bit or 64-bit) system. The instructions here will show you how to create an initrd for early loading. It is also possible to build the same microcode bin file into the kernel, which allows early loading but requires the kernel to be recompiled to update the microcode.

To confirm what processor(s) you have (if more than one, they will be identical) look in /proc/cpuinfo. Determine the decimal values of the cpu family, model and stepping by running the following command (it will also report the current microcode version):

head -n7 /proc/cpuinfo

Convert the cpu family, model and stepping to pairs of hexadecimal digits, and remember the value of the microcode field. You can now check if there is any microcode available.

If you are creating an initrd to update firmware for different machines, as a distro would do, go down to 'Early loading of microcode' and cat all the Intel blobs to GenuineIntel.bin or cat all the AMD blobs to AuthenticAMD.bin. This creates a larger initrd - for all Intel machines in the 20200609 update the size was 3.0 MB compared to typically 24 KB for one machine.

Intel Microcode for the CPU

The first step is to get the most recent version of the Intel microcode. This must be done by navigating to and downloading the latest file there. As of this writing the most secure version of the microcode is microcode-20231114. Extract this file in the normal way, the microcode is in the intel-ucode directory, containing various blobs with names in the form XX-YY-ZZ. There are also various other files, and a releasenote.

In the past, intel did not provide any details of which blobs had changed versions, but now the releasenote details this. You can compare the microcode version in /proc/cpuinfo with the version for your CPU model in the releasenote to know if there is an update.

The recent firmware for older processors is provided to deal with vulnerabilities which have now been made public, and for some of these such as Microarchitectural Data Sampling (MDS) you might wish to increase the protection by disabling hyperthreading, or alternatively to disable the kernel's default mitigation because of its impact on compile times. Please read the online documentation at

For an Tigerlake mobile (described as Intel(R) Core(TM) i5-11300H CPU) the relevant values are cpu family 6, model 140, stepping 1 so in this case the required identification is 06-8c-01. The releasenote says the latest microcode for it is versioned 0xb4. If the value of the microcode field in /proc/cpuinfo is 0xb4 or greater, it indicates the microcode update is already applied by the BIOS. Otherwise, proceed to the section called “Early loading of microcode”.

AMD Microcode for the CPU

Begin by downloading a container of firmware for your CPU family from The family is always specified in hex. Families 10h to 14h (16 to 20) are in microcode_amd.bin. Families 15h, 16h, 17h (Zen, Zen+, Zen2) and 19h (Zen3) have their own containers, but very few machines are likely to get updated microcode. Instead, AMD provide an updated AGESA to the motherboard makers, who may provide an updated BIOS using this. There is a Python3 script at Download that script and run it against the bin file to check which processors have updates.

For the very old Athlon(tm) II X2 in these examples the values were cpu family 16, model 5, stepping 3 giving an identification of Family=0x10 Model=0x05 Stepping=0x03. One line of the script output describes the microcode version for it:

Family=0x10 Model=0x05 Stepping=0x03: Patch=0x010000c8 Length=960 bytes

If the value of the microcode field in /proc/cpuinfo is 0x10000c8 or greater, it indicates the BIOS has already applied the microcode update. Otherwise, proceed to the section called “Early loading of microcode”.

Early loading of microcode

If you have established that updated microcode is available for your system, it is time to prepare it for early loading. This requires an additional package, cpio-2.15 and the creation of an initrd which will need to be added to grub.cfg.

It does not matter where you prepare the initrd, and once it is working you can apply the same initrd to later LFS systems or newer kernels on this same machine, at least until any newer microcode is released. Use the following commands:

mkdir -p initrd/kernel/x86/microcode
cd initrd

For an AMD machine, use the following command (replace <MYCONTAINER> with the name of the container for your CPU's family):

cp -v ../<MYCONTAINER> kernel/x86/microcode/AuthenticAMD.bin

Or for an Intel machine copy the appropriate blob using this command:

cp -v ../intel-ucode/<XX-YY-ZZ> kernel/x86/microcode/GenuineIntel.bin

Now prepare the initrd:

find . | cpio -o -H newc > /boot/microcode.img

You now need to add a new entry to /boot/grub/grub.cfg and here you should add a new line after the linux line within the stanza. If /boot is a separate mountpoint:

initrd /microcode.img

or this if it is not:

initrd /boot/microcode.img

If you are already booting with an initrd (see the section called “About initramfs”), you should run mkinitramfs again after putting the appropriate blob or container into /lib/firmware. More precisely, put an intel blob in a /lib/firmware/intel-ucode directory or an AMD container in a /lib/firmware/amd-ucode directory before running mkinitramfs. Alternatively, you can have both initrd on the same line, such as initrd /microcode.img /other-initrd.img (adapt that as above if /boot is not a separate mountpoint).

You can now reboot with the added initrd, and then use the following command to check that the early load worked:

dmesg | grep -e 'microcode' -e 'Linux version' -e 'Command line'

If you updated to address vulnerabilities, you can look at the output of the lscpu command to see what is now reported.

The places and times where early loading happens are very different in AMD and Intel machines. First, an example of an Intel (Tigerlake mobile) with early loading:

[    0.000000] microcode: microcode updated early: 0x86 -> 0xb4, date = 2023-09-07
[    0.000000] Linux version 6.6.1 (xry111@stargazer) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #36 SMP PREEMPT_DYNAMIC Tue Nov 14 01:56:04 CST 2023
[    0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-6.6.1 root=PARTUUID=<CLASSIFIED> ro
[    0.424002] microcode: Microcode Update Driver: v2.2.

A historic AMD example:

[    0.000000] Linux version 4.15.3 (ken@testserver) (gcc version 7.3.0 (GCC))
               #2 SMP Sun Feb 18 02:32:03 GMT 2018
[    0.000000] Command line: BOOT_IMAGE=/vmlinuz-4.15.3-sda5 root=/dev/sda5 ro
[    0.307619] microcode: microcode updated early to new patch_level=0x010000c8
[    0.307678] microcode: CPU0: patch_level=0x010000c8
[    0.307723] microcode: CPU1: patch_level=0x010000c8
[    0.307795] microcode: Microcode Update Driver: v2.2.

Firmware for Video Cards

Firmware for ATI video chips (R600 and later)

These instructions do NOT apply to old radeons before the R600 family. For those, the firmware is in the kernel's /lib/firmware/ directory. Nor do they apply if you intend to avoid a graphical setup such as Xorg and are content to use the default 80x25 display rather than a framebuffer.

Early radeon devices only needed a single 2K blob of firmware. Recent devices need several different blobs, and some of them are much bigger. The total size of the radeon firmware directory is over 500K — on a large modern system you can probably spare the space, but it is still redundant to install all the unused files each time you build a system.

A better approach is to install pciutils-3.10.0 and then use lspci to identify which VGA controller is installed.

With that information, check the RadeonFeature page of the Xorg wiki for Decoder ring for engineering vs marketing names to identify the family (you may need to know this for the Xorg driver in BLFS — Southern Islands and Sea Islands use the radeonsi driver) and the specific model.

Now that you know which controller you are using, consult the Radeon page of the Gentoo wiki which has a table listing the required firmware blobs for the various chipsets. Note that Southern Islands and Sea Islands chips use different firmware for kernel 3.17 and later compared to earlier kernels. Identify and download the required blobs then install them:

mkdir -pv /lib/firmware/radeon
cp -v <YOUR_BLOBS> /lib/firmware/radeon

Building the kernel amdgpu driver as a module is recommended because the firmware files need to be accessible at the time it is loaded. If you are building it as a part of the kernel image for any reason, you need to either include the firmware files in the initramfs (read the section called “About initramfs” for details), or include them in the kernel image itself (read the section called “Include Firmware Blobs in the Kernel Image” for details).

Firmware for AMD/ATI amdgpu video chips

All video controllers using the amdgpu kernel driver require firmware, whether you will be using the xorg amdgpu driver, the xserver's modesetting driver, or just kernel modesetting to get a console framebuffer larger than 80x25.

Install pciutils-3.10.0 and use that to check the model name (look for 'VGA compatible controller:'). If you have an APU (Accelerated Processing Unit, i.e. CPU and video on the same chip) that will probably tell you the name. If you have a separate amdgpu video card you will need to search to determine which name it uses (e.g. a card described as Advanced Micro Devices, Inc. [AMD/ATI] Baffin [Radeon RX 550 640SP / RX 560/560X] needs Polaris11 firmware. There is a table of "Family, Chipset name, Product name and Firmware" at the end of the Kernel sections in AMDGPU page of the Gentoo wiki.

Once you have identified the firmware name, install all the relevant files for it. For example, the Baffin card mentioned above has 21 different polaris11* files, APUs such as renoir and picasso have at least 12 files and might gain more in future updates (e.g. the raven APU now has a 13th file, raven_ta.bin).

mkdir -pv /lib/firmware/amdgpu
cp -v <YOUR_BLOBS> /lib/firmware/amdgpu

If disk space is not a problem, you could install all the current amdgpu firmware files and not worry about exactly which chipset is installed.

Building the kernel amdgpu driver as a module is recommended because the firmware files need to be accessible at the time it is loaded. If you are building it as a part of the kernel image for any reason, you need to either include the firmware files in the initramfs (read the section called “About initramfs” for details), or include them in the kernel image itself (read the section called “Include Firmware Blobs in the Kernel Image” for details).

Firmware for Nvidia video chips

Nvidia has released basic signed firmware for recent graphics chips, but significantly after the chips and its own binary drivers were first available. For other chips it has been necessary to extract the firmware from the binary driver.

For more exact information about which chips need extracted firmware, see

If the necessary firmware is available in the nvidia/ directory of linux-firmware, copy it to /lib/firmware/nouveau.

If the firmware has not been made available in linux-firmware, for the old chips mentioned in the nouveau wiki link above run the following commands:

sh --extract-only
mkdir -p /lib/firmware/nouveau
cp -d nv* vuc-* /lib/firmware/nouveau/

Firmware for Network Interfaces

The kernel likes to load firmware for some network drivers, particularly those from Realtek (the /lib/linux-firmware/rtl_nic/) directory, but they generally appear to work without it. Therefore, you can boot the kernel, check dmesg for messages about this missing firmware, and if necessary download the firmware and put it in the specified directory in /lib/firmware so that it will be found on subsequent boots. Note that with current kernels this works whether or not the driver is compiled in or built as a module, there is no need to build this firmware into the kernel. Here is an example where the R8169 driver has been compiled in but the firmware was not made available. Once the firmware had been provided, there was no mention of it on later boots.

dmesg | grep firmware | grep r8169
[    7.018028] r8169 0000:01:00.0: Direct firmware load for rtl_nic/rtl8168g-2.fw failed with error -2
[    7.018036] r8169 0000:01:00.0 eth0: unable to load firmware patch rtl_nic/rtl8168g-2.fw (-2)

Firmware for Regulatory Database of Wireless Devices

Different countries have different regulations on the radio spectrum usage of wireless devices. You can install a firmware to make the wireless devices obey local spectrum regulations, so you won't be inquired by local authority or find your wireless NIC jamming the frequencies of other devices (for example, remote controllers). The regulatory database firmware can be downloaded from To install it, simply extract regulatory.db and regulatory.db.p7s from the tarball into /lib/firmware. Note that either the cfg80211 driver needs to be selected as a module for the regulatory.* files to be loaded, or those files need to be included as firmware into the kernel, as explained above in the section called “Firmware for Video Cards”.

The access point (AP) would send a country code to your wireless NIC, and wpa_supplicant-2.10 would tell the kernel to load the regulation of this country from regulatory.db, and enforce it. Note that several AP don't send this country code, so you may be locked to a rather restricted usage (specially if you want to use your interface as an AP).

Sound Open Firmware

Some systems (especially budget laptops) utilize a DSP shipped with the CPU for connection with the audio codec. The Sound Open Firmware must be loaded onto the DSP to make it functional. These firmware files can be downloaded from Extract the tarball and changing into the extracted directory, then as the root user install the firmware:

install -vdm755 /usr/lib/firmware/intel    &&
cp -av -T --no-preserve=ownership sof      \
   /usr/lib/firmware/intel/sof             &&
cp -av -T --no-preserve=ownership sof-tplg \

alsa-lib-1.2.11 needs Use Case Manager configuration files for the systems using Sound Open Firmware as well. The ALSA UCM configuration files can be downloaded from Extract the tarball and changing into the extracted directory, then as the root user install the configuration files:

install -vdm755 /usr/share/alsa &&
cp -av -T --no-preserve=ownership ucm2 /usr/share/alsa/ucm2

Once the firmware is loaded (you may need a reboot so the kernel will load them) and the UCM configuration files are installed, following the section called “Configuring ALSA Utilities” to set up your sound card for ALSA properly.

Firmware for Other Devices

Identifying the correct firmware will typically require you to install pciutils-3.10.0, and then use lspci to identify the device. You should then search online to check which module it uses, which firmware, and where to obtain the firmware — not all of it is in linux-firmware.

If possible, you should begin by using a wired connection when you first boot your LFS system. To use a wireless connection you will need to use a network tools such as iw-6.7, Wireless Tools-29, or wpa_supplicant-2.10.

Firmware may also be needed for other devices such as some SCSI controllers, bluetooth adaptors, or TV recorders. The same principles apply.

Include Firmware Blobs in the Kernel Image

Some drivers, notably the drivers for ATI or AMD GPU, requires the firmware files accessible at the time it is loaded. The easiest method to handle these drivers is building them as a kernel module. An alternative method is creating an initramfs (read the section called “About initramfs” for details) including the firmware files. If you don't want to use either methods, you may include the firmware files in the kernel image itself. Install the needed firmware files into /lib/firmware first, then set the following kernel configuration and rebuild the kernel:

Device Drivers --->
  Generic Driver Options --->
    Firmware loader --->
      <*>                   Firmware loading facility                [FW_LOADER]
      (xx/aa.bin xx/bb.bin)   Build named firmware blobs into the kernel binary
                                                           ...  [EXTRA_FIRMWARE]
      (/lib/firmware)           Firmware blobs root directory
                                                       ...  [EXTRA_FIRMWARE_DIR]

Replace xx/aa.bin xx/bb.bin with a whitespace-separated list of paths to the needed firmware files, relative to /lib/firmware. A method easier than manually typing the list (it may be long) is running the following command:

echo CONFIG_EXTRA_FIRMWARE='"'$({ cd /lib/firmware; echo amdgpu/* })'"' >> .config
make oldconfig

Replace amdgpu/* with a shell pattern matching the needed firmware files.


Do not distribute a kernel image containing the firmware to others or you may violate the GPL.

About Devices

Although most devices needed by packages in BLFS and beyond are set up properly by udev using the default rules installed by LFS in /etc/udev/rules.d, there are cases where the rules must be modified or augmented.

Multiple Sound Cards

If there are multiple sound cards in a system, the "default" sound card becomes random. The method to establish sound card order depends on whether the drivers are modules or not. If the sound card drivers are compiled into the kernel, control is via kernel command line parameters in /boot/grub/grub.cfg. For example, if a system has both an FM801 card and a SoundBlaster PCI card, the following can be appended to the command line:

snd-fm801.index=0 snd-ens1371.index=1

If the sound card drivers are built as modules, the order can be established in the /etc/modprobe.conf file with:

options snd-fm801 index=0
options snd-ens1371 index=1

USB Device Issues

USB devices usually have two kinds of device nodes associated with them.

The first kind is created by device-specific drivers (e.g., usb_storage/sd_mod or usblp) in the kernel. For example, a USB mass storage device would be /dev/sdb, and a USB printer would be /dev/usb/lp0. These device nodes exist only when the device-specific driver is loaded.

The second kind of device nodes (/dev/bus/usb/BBB/DDD, where BBB is the bus number and DDD is the device number) are created even if the device doesn't have a kernel driver. By using these "raw" USB device nodes, an application can exchange arbitrary USB packets with the device, i.e., bypass the possibly-existing kernel driver.

Access to raw USB device nodes is needed when a userspace program is acting as a device driver. However, for the program to open the device successfully, the permissions have to be set correctly. By default, due to security concerns, all raw USB devices are owned by user root and group root, and have 0664 permissions (the read access is needed, e.g., for lsusb to work and for programs to access USB hubs). Packages (such as SANE and libgphoto2) containing userspace USB device drivers also ship udev rules that change the permissions of the controlled raw USB devices. That is, rules installed by SANE change permissions for known scanners, but not printers. If a package maintainer forgot to write a rule for your device, report a bug to both BLFS (if the package is there) and upstream, and you will need to write your own rule.

Before Linux-2.6.15, raw USB device access was performed not with /dev/bus/usb/BBB/DDD device nodes, but with /proc/bus/usb/BBB/DDD pseudofiles. Some applications still use only this deprecated technique and can't use the new device nodes. They cannot work with Linux kernel version 3.5 or newer. If you need to run such an application, contact the developer of it for a fix.

Udev Device Attributes

Fine-tuning of device attributes such as group name and permissions is possible by creating extra udev rules, matching on something like this. The vendor and product can be found by searching the /sys/devices directory entries or using udevadm info after the device has been attached. See the documentation in the current udev directory of /usr/share/doc for details.

SUBSYSTEM=="usb_device", SYSFS{idVendor}=="05d8", SYSFS{idProduct}=="4002", \
  GROUP:="scanner", MODE:="0660"


The above line is used for descriptive purposes only. The scanner udev rules are put into place when installing SANE-1.2.1.

Devices for DVD Drives

If the initial boot process does not set up the /dev/dvd device properly, it can be installed using the following modification to the default udev rules. As the root user, run:

sed '1d;/SYMLINK.*cdrom/ a\
KERNEL=="sr0", ENV{ID_CDROM_DVD}=="1", SYMLINK+="dvd", OPTIONS+="link_priority=-100"' \
/lib/udev/rules.d/60-cdrom_id.rules > /etc/udev/rules.d/60-cdrom_id.rules

Configuring for Adding Users

Together, the /usr/sbin/useradd command and /etc/skel directory (both are easy to set up and use) provide a way to assure new users are added to your LFS system with the same beginning settings for things such as the PATH, keyboard processing and other environmental variables. Using these two facilities makes it easier to assure this initial state for each new user added to the system.

The /etc/skel directory holds copies of various initialization and other files that may be copied to the new user's home directory when the /usr/sbin/useradd program adds the new user.


The useradd program uses a collection of default values kept in /etc/default/useradd. This file is created in a base LFS installation by the Shadow package. If it has been removed or renamed, the useradd program uses some internal defaults. You can see the default values by running /usr/sbin/useradd -D.

To change these values, simply modify the /etc/default/useradd file as the root user. An alternative to directly modifying the file is to run useradd as the root user while supplying the desired modifications on the command line. Information on how to do this can be found in the useradd man page.


To get started, create an /etc/skel directory and make sure it is writable only by the system administrator, usually root. Creating the directory as root is the best way to go.

The mode of any files from this part of the book that you put in /etc/skel should be writable only by the owner. Also, since there is no telling what kind of sensitive information a user may eventually place in their copy of these files, you should make them unreadable by "group" and "other".

You can also put other files in /etc/skel and different permissions may be needed for them.

Decide which initialization files should be provided in every (or most) new user's home directory. The decisions you make will affect what you do in the next two sections, The Bash Shell Startup Files and The vimrc Files. Some or all of those files will be useful for root, any already-existing users, and new users.

The files from those sections that you might want to place in /etc/skel include .inputrc, .bash_profile, .bashrc, .bash_logout, .dircolors, and .vimrc. If you are unsure which of these should be placed there, just continue to the following sections, read each section and any references provided, and then make your decision.

You will run a slightly modified set of commands for files which are placed in /etc/skel. Each section will remind you of this. In brief, the book's commands have been written for files not added to /etc/skel and instead just sends the results to the user's home directory. If the file is going to be in /etc/skel, change the book's command(s) to send output there instead and then just copy the file from /etc/skel to the appropriate directories, like /etc, ~ or the home directory of any other user already in the system.

When Adding a User

When adding a new user with useradd, use the -m parameter, which tells useradd to create the user's home directory and copy files from /etc/skel (can be overridden) to the new user's home directory. For example (perform as the root user):

useradd -m <newuser>

If you are sharing a /home or /usr/src with another Linux distro (for example, the host distro used for building LFS), you can create a user with the same UID (and, same primary group GID) to keep the file ownership consistent across the systems. First, on the other distro, get the UID of the user and the GID of the user's primary group:

getent passwd <username> | cut -d ':' -f 3,4

The command should output the UID and GID, separated by a colon. Now on the BLFS system, create the primary group and the user:

groupadd -g <GID> <username> &&
useradd -u <UID> -g <username> <username>

About System Users and Groups

Throughout BLFS, many packages install programs that run as daemons or in some way should have a user or group name assigned. Generally these names are used to map a user ID (uid) or group ID (gid) for system use. Generally the specific uid or gid numbers used by these applications are not significant. The exception of course, is that root has a uid and gid of 0 (zero) that is indeed special. The uid values are stored in /etc/passwd and the gid values are found in /etc/group.

Customarily, Unix systems classify users and groups into two categories: system users and regular users. The system users and groups are given low numbers and regular users and groups have numeric values greater than all the system values. The cutoff for these numbers is found in two parameters in the /etc/login.defs configuration file. The default UID_MIN value is 1000 and the default GID_MIN value is 1000. If a specific uid or gid value is not specified when creating a user with useradd or a group with groupadd the values assigned will always be above these cutoff values.

Additionally, the Linux Standard Base recommends that system uid and gid values should be below 100.

Below is a table of suggested uid/gid values used in BLFS beyond those defined in a base LFS installation. These can be changed as desired, but provide a suggested set of consistent values.

Table 3.1. UID/GID Suggested Values

Name uid gid
bin 1
lp 9
adm 16
atd 17 17
messagebus 18 18
lpadmin   19
named 20 20
gdm 21 21
fcron 22 22
systemd-journal 23 23
apache 25 25
smmsp 26 26
polkitd 27 27
rpc 28 28
exim 31 31
postfix 32 32
postdrop 33
sendmail 34
mail 34
vmailman 35 35
news 36 36
kdm 37 37
fetchmail 38
mysql 40 40
postgres 41 41
dovecot 42 42
dovenull 43 43
ftp 45 45
proftpd 46 46
vsftpd 47 47
rsyncd 48 48
sshd 50 50
stunnel 51 51
dhcpcd 52 52
svn 56 56
svntest 57
git 58 58
games 60 60
kvm 61
wireshark 62
lightdm 63 63
sddm 64 64
lightdm 65 65
scanner 70
colord 71 71
systemd-journal-gateway 73 73
systemd-journal-remote 74 74
systemd-journal-upload 75 75
systemd-network 76 76
systemd-resolve 77 77
systemd-timesync 78 78
systemd-coredump 79 79
uuidd 80 80
systemd-oom 81 81
ldap 83 83
avahi 84 84
avahi-autoipd 85 85
netdev 86
ntp 87 87
unbound 88 88
plugdev 90
wheel 97
anonymous 98
nobody 65534
nogroup 65534

The Bash Shell Startup Files

The shell program /bin/bash (hereafter referred to as just "the shell") uses a collection of startup files to help create an environment. Each file has a specific use and may affect login and interactive environments differently. The files in the /etc directory generally provide global settings. If an equivalent file exists in your home directory it may override the global settings.

An interactive login shell is started after a successful login, using /bin/login, by reading the /etc/passwd file. This shell invocation normally reads /etc/profile and its private equivalent ~/.bash_profile (or ~/.profile if called as /bin/sh) upon startup.

An interactive non-login shell is normally started at the command-line using a shell program (e.g., [prompt]$/bin/bash) or by the /bin/su command. An interactive non-login shell is also started with a terminal program such as xterm or konsole from within a graphical environment. This type of shell invocation normally copies the parent environment and then reads the user's ~/.bashrc file for additional startup configuration instructions.

A non-interactive shell is usually present when a shell script is running. It is non-interactive because it is processing a script and not waiting for user input between commands. For these shell invocations, only the environment inherited from the parent shell is used.

The file ~/.bash_logout is not used for an invocation of the shell. It is read and executed when a user exits from an interactive login shell.

Many distributions use /etc/bashrc for system wide initialization of non-login shells. This file is usually called from the user's ~/.bashrc file and is not built directly into bash itself. This convention is followed in this section.

For more information see info bash -- Nodes: Bash Startup Files and Interactive Shells.


Most of the instructions below are used to create files located in the /etc directory structure which requires you to execute the commands as the root user. If you elect to create the files in user's home directories instead, you should run the commands as an unprivileged user.

Editor Notes:


Here is a base /etc/profile. This file starts by setting up some helper functions and some basic parameters. It specifies some bash history parameters and, for security purposes, disables keeping a permanent history file for the root user. It also sets a default user prompt. It then calls small, single purpose scripts in the /etc/profile.d directory to provide most of the initialization.

For more information on the escape sequences you can use for your prompt (i.e., the PS1 environment variable) see info bash -- Node: Printing a Prompt.

cat > /etc/profile << "EOF"
# Begin /etc/profile
# Written for Beyond Linux From Scratch
# by James Robertson <>
# modifications by Dagmar d'Surreal <rivyqntzne@pbzpnfg.arg>

# System wide environment variables and startup programs.

# System wide aliases and functions should go in /etc/bashrc.  Personal
# environment variables and startup programs should go into
# ~/.bash_profile.  Personal aliases and functions should go into
# ~/.bashrc.

# Functions to help us manage paths.  Second argument is the name of the
# path variable to be modified (default: PATH)
pathremove () {
        local IFS=':'
        local NEWPATH
        local DIR
        local PATHVARIABLE=${2:-PATH}
        for DIR in ${!PATHVARIABLE} ; do
                if [ "$DIR" != "$1" ] ; then
        export $PATHVARIABLE="$NEWPATH"

pathprepend () {
        pathremove $1 $2
        local PATHVARIABLE=${2:-PATH}

pathappend () {
        pathremove $1 $2
        local PATHVARIABLE=${2:-PATH}

export -f pathremove pathprepend pathappend

# Set the initial path
export PATH=/usr/bin

# Attempt to provide backward compatibility with LFS earlier than 11
if [ ! -L /bin ]; then
        pathappend /bin

if [ $EUID -eq 0 ] ; then
        pathappend /usr/sbin
        if [ ! -L /sbin ]; then
                pathappend /sbin
        unset HISTFILE

# Set up some environment variables.
export HISTSIZE=1000
export HISTIGNORE="&:[bf]g:exit"

# Set some defaults for graphical systems
export XDG_DATA_DIRS=${XDG_DATA_DIRS:-/usr/share/}
export XDG_CONFIG_DIRS=${XDG_CONFIG_DIRS:-/etc/xdg/}

# Set up a red prompt for root and a green one for users.
if [[ $EUID == 0 ]] ; then
  PS1="$RED\u [ $NORMAL\w$RED ]# $NORMAL"

for script in /etc/profile.d/*.sh ; do
        if [ -r $script ] ; then
                . $script

unset script RED GREEN NORMAL

# End /etc/profile

The /etc/profile.d Directory

Now create the /etc/profile.d directory, where the individual initialization scripts are placed:

install --directory --mode=0755 --owner=root --group=root /etc/profile.d



Using the bash completion script below is controversial. Not all users like it. It adds many (usually over 1000) lines to the bash environment and makes it difficult to use the 'set' command to examine simple environment variables. Omitting this script does not interfere with the ability of bash to use the tab key for file name completion.

This script imports bash completion scripts, installed by many other BLFS packages, to allow TAB command line completion.

cat > /etc/profile.d/ << "EOF"
# Begin /etc/profile.d/
# Import bash completion scripts

# If the bash-completion package is installed, use its configuration instead
if [ -f /usr/share/bash-completion/bash_completion ]; then

  # Check for interactive bash and that we haven't already been sourced.
  if [ -n "${BASH_VERSION-}" -a -n "${PS1-}" -a -z "${BASH_COMPLETION_VERSINFO-}" ]; then

    # Check for recent enough version of bash.
    if [ ${BASH_VERSINFO[0]} -gt 4 ] || \
       [ ${BASH_VERSINFO[0]} -eq 4 -a ${BASH_VERSINFO[1]} -ge 1 ]; then
       [ -r "${XDG_CONFIG_HOME:-$HOME/.config}/bash_completion" ] && \
            . "${XDG_CONFIG_HOME:-$HOME/.config}/bash_completion"
       if shopt -q progcomp && [ -r /usr/share/bash-completion/bash_completion ]; then
          # Source completion code.
          . /usr/share/bash-completion/bash_completion


  # bash-completions are not installed, use only bash completion directory
  if shopt -q progcomp; then
    for script in /etc/bash_completion.d/* ; do
      if [ -r $script ] ; then
        . $script

# End /etc/profile.d/

Make sure that the directory exists:

install --directory --mode=0755 --owner=root --group=root /etc/bash_completion.d

For a more complete installation, see


This script uses the ~/.dircolors and /etc/dircolors files to control the colors of file names in a directory listing. They control colorized output of things like ls --color. The explanation of how to initialize these files is at the end of this section.

cat > /etc/profile.d/ << "EOF"
# Setup for /bin/ls and /bin/grep to support color, the alias is in /etc/bashrc.
if [ -f "/etc/dircolors" ] ; then
        eval $(dircolors -b /etc/dircolors)

if [ -f "$HOME/.dircolors" ] ; then
        eval $(dircolors -b $HOME/.dircolors)

alias ls='ls --color=auto'
alias grep='grep --color=auto'


This script adds some useful paths to the PATH and can be used to customize other PATH related environment variables (e.g. LD_LIBRARY_PATH, etc) that may be needed for all users.

cat > /etc/profile.d/ << "EOF"
if [ -d /usr/local/lib/pkgconfig ] ; then
        pathappend /usr/local/lib/pkgconfig PKG_CONFIG_PATH
if [ -d /usr/local/bin ]; then
        pathprepend /usr/local/bin
if [ -d /usr/local/sbin -a $EUID -eq 0 ]; then
        pathprepend /usr/local/sbin

if [ -d /usr/local/share ]; then
        pathprepend /usr/local/share XDG_DATA_DIRS

# Set some defaults before other applications add to these paths.
pathappend /usr/share/man  MANPATH
pathappend /usr/share/info INFOPATH


This script sets up the default inputrc configuration file. If the user does not have individual settings, it uses the global file.

cat > /etc/profile.d/ << "EOF"
# Set up the INPUTRC environment variable.
if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ] ; then
export INPUTRC


Setting the umask value is important for security. Here the default group write permissions are turned off for system users and when the user name and group name are not the same.

cat > /etc/profile.d/ << "EOF"
# By default, the umask should be set.
if [ "$(id -gn)" = "$(id -un)" -a $EUID -gt 99 ] ; then
  umask 002
  umask 022


This script sets an environment variable necessary for native language support. A full discussion on determining this variable can be found on the LFS Bash Shell Startup Files page.

cat > /etc/profile.d/ << "EOF"
# Set up i18n variables
for i in $(locale); do
  unset ${i%=*}

if [[ "$TERM" = linux ]]; then
  export LANG=C.UTF-8
  source /etc/locale.conf

  for i in $(locale); do
    if [[ -v $key ]]; then
      export $key

Other Initialization Values

Other initialization can easily be added to the profile by adding additional scripts to the /etc/profile.d directory.


Here is a base /etc/bashrc. Comments in the file should explain everything you need.

cat > /etc/bashrc << "EOF"
# Begin /etc/bashrc
# Written for Beyond Linux From Scratch
# by James Robertson <>
# updated by Bruce Dubbs <>

# System wide aliases and functions.

# System wide environment variables and startup programs should go into
# /etc/profile.  Personal environment variables and startup programs
# should go into ~/.bash_profile.  Personal aliases and functions should
# go into ~/.bashrc

# Provides colored /bin/ls and /bin/grep commands.  Used in conjunction
# with code in /etc/profile.

alias ls='ls --color=auto'
alias grep='grep --color=auto'

# Provides prompt for non-login shells, specifically shells started
# in the X environment. [Review the LFS archive thread titled
# PS1 Environment Variable for a great case study behind this script
# addendum.]

if [[ $EUID == 0 ]] ; then
  PS1="$RED\u [ $NORMAL\w$RED ]# $NORMAL"


# End /etc/bashrc


Here is a base ~/.bash_profile. If you want each new user to have this file automatically, just change the output of the command to /etc/skel/.bash_profile and check the permissions after the command is run. You can then copy /etc/skel/.bash_profile to the home directories of already existing users, including root, and set the owner and group appropriately.

cat > ~/.bash_profile << "EOF"
# Begin ~/.bash_profile
# Written for Beyond Linux From Scratch
# by James Robertson <>
# updated by Bruce Dubbs <>

# Personal environment variables and startup programs.

# Personal aliases and functions should go in ~/.bashrc.  System wide
# environment variables and startup programs are in /etc/profile.
# System wide aliases and functions are in /etc/bashrc.

if [ -f "$HOME/.bashrc" ] ; then
  source $HOME/.bashrc

if [ -d "$HOME/bin" ] ; then
  pathprepend $HOME/bin

# Having . in the PATH is dangerous
#if [ $EUID -gt 99 ]; then
#  pathappend .

# End ~/.bash_profile


Here is a base ~/.profile. The comments and instructions for using /etc/skel for .bash_profile above also apply here. Only the target file names are different.

cat > ~/.profile << "EOF"
# Begin ~/.profile
# Personal environment variables and startup programs.

if [ -d "$HOME/bin" ] ; then
  pathprepend $HOME/bin

# Set up user specific i18n variables
#export LANG=<ll>_<CC>.<charmap><@modifiers>

# End ~/.profile


Here is a base ~/.bashrc.

cat > ~/.bashrc << "EOF"
# Begin ~/.bashrc
# Written for Beyond Linux From Scratch
# by James Robertson <>

# Personal aliases and functions.

# Personal environment variables and startup programs should go in
# ~/.bash_profile.  System wide environment variables and startup
# programs are in /etc/profile.  System wide aliases and functions are
# in /etc/bashrc.

if [ -f "/etc/bashrc" ] ; then
  source /etc/bashrc

# Set up user specific i18n variables
#export LANG=<ll>_<CC>.<charmap><@modifiers>

# End ~/.bashrc


This is an empty ~/.bash_logout that can be used as a template. You will notice that the base ~/.bash_logout does not include a clear command. This is because the clear is handled in the /etc/issue file.

cat > ~/.bash_logout << "EOF"
# Begin ~/.bash_logout
# Written for Beyond Linux From Scratch
# by James Robertson <>

# Personal items to perform on logout.

# End ~/.bash_logout


If you want to use the dircolors capability, then run the following command. The /etc/skel setup steps shown above also can be used here to provide a ~/.dircolors file when a new user is set up. As before, just change the output file name on the following command and assure the permissions, owner, and group are correct on the files created and/or copied.

dircolors -p > /etc/dircolors

If you wish to customize the colors used for different file types, you can edit the /etc/dircolors file. The instructions for setting the colors are embedded in the file.

Finally, Ian Macdonald has written an excellent collection of tips and tricks to enhance your shell environment. You can read it online at

The /etc/vimrc and ~/.vimrc Files

The LFS book installs Vim as its text editor. At this point it should be noted that there are a lot of different editing applications out there including Emacs, nano, Joe and many more. Anyone who has been around the Internet (especially usenet) for a short time will certainly have observed at least one flame war, usually involving Vim and Emacs users!

The LFS book creates a basic vimrc file. In this section you'll find an attempt to enhance this file. At startup, vim reads the global configuration file (/etc/vimrc) as well as a user-specific file (~/.vimrc). Either or both can be tailored to suit the needs of your particular system.

Here is a slightly expanded .vimrc that you can put in ~/.vimrc to provide user specific effects. Of course, if you put it into /etc/skel/.vimrc instead, it will be made available to users you add to the system later. You can also copy the file from /etc/skel/.vimrc to the home directory of users already on the system, such as root. Be sure to set permissions, owner, and group if you do copy anything directly from /etc/skel.

" Begin .vimrc

set columns=80
set wrapmargin=8
set ruler

" End .vimrc

Note that the comment tags are " instead of the more usual # or //. This is correct, the syntax for vimrc is slightly unusual.

Below you'll find a quick explanation of what each of the options in this example file means here:

  • set columns=80: This simply sets the number of columns used on the screen.

  • set wrapmargin=8: This is the number of characters from the right window border where wrapping starts.

  • set ruler: This makes vim show the current row and column at the bottom right of the screen.

More information on the many vim options can be found by reading the help inside vim itself. Do this by typing :help in vim to get the general help, or by typing :help usr_toc.txt to view the User Manual Table of Contents.

Customizing your Logon with /etc/issue

When you first boot up your new LFS system, the logon screen will be nice and plain (as it should be in a bare-bones system). Many people however, will want their system to display some information in the logon message. This can be accomplished using the file /etc/issue.

The /etc/issue file is a plain text file which will also accept certain escape sequences (see below) in order to insert information about the system. There is also the file which can be used when logging on remotely. ssh however, will only use it if you set the option in the configuration file and will not interpret the escape sequences shown below.

One of the most common things which people want to do is clear the screen at each logon. The easiest way of doing that is to put a "clear" escape sequence into /etc/issue. A simple way of doing this is to issue the command clear > /etc/issue. This will insert the relevant escape code into the start of the /etc/issue file. Note that if you do this, when you edit the file, you should leave the characters (normally '^[[H^[[2J') on the first line alone.


Terminal escape sequences are special codes recognized by the terminal. The ^[ represents an ASCII ESC character. The sequence ESC [ H puts the cursor in the upper left hand corner of the screen and ESC 2 J erases the screen. For more information on terminal escape sequences see

The following sequences are recognized by agetty (the program which usually parses /etc/issue). This information is from man agetty where you can find extra information about the logon process.

The issue file can contain certain character sequences to display various information. All issue sequences consist of a backslash (\) immediately followed by one of the letters explained below (so \d in /etc/issue would insert the current date).

b   Insert the baudrate of the current line.
d   Insert the current date.
s   Insert the system name, the name of the operating system.
l   Insert the name of the current tty line.
m   Insert the architecture identifier of the machine, e.g., i686.
n   Insert the nodename of the machine, also known as the hostname.
o   Insert the domainname of the machine.
r   Insert the release number of the kernel, e.g.,
t   Insert the current time.
u   Insert the number of current users logged in.
U   Insert the string "1 user" or "<n> users" where <n> is the
    number of current users logged in.
v   Insert the version of the OS, e.g., the build-date etc.

Chapter 4. Security

Security takes many forms in a computing environment. After some initial discussion, this chapter gives examples of three different types of security: access, prevention and detection.

Access for users is usually handled by login or an application designed to handle the login function. In this chapter, we show how to enhance login by setting policies with PAM modules. Access via networks can also be secured by policies set by iptables, commonly referred to as a firewall. The Network Security Services (NSS) and Netscape Portable Runtime (NSPR) libraries can be installed and shared among the many applications requiring them. For applications that don't offer the best security, you can use the Stunnel package to wrap an application daemon inside an SSL tunnel.

Prevention of breaches, like a trojan, are assisted by applications like GnuPG, specifically the ability to confirm signed packages, which recognizes modifications of the tarball after the packager creates it.

Finally, we touch on detection with a package that stores "signatures" of critical files (defined by the administrator) and then regenerates those "signatures" and compares for files that have been changed.


About vulnerabilities

All software has bugs. Sometimes, a bug can be exploited, for example to allow users to gain enhanced privileges (perhaps gaining a root shell, or simply accessing or deleting other user's files), or to allow a remote site to crash an application (denial of service), or for theft of data. These bugs are labelled as vulnerabilities.

The main place where vulnerabilities get logged is Unfortunately, many vulnerability numbers (CVE-yyyy-nnnn) are initially only labelled as "reserved" when distributions start issuing fixes. Also, some vulnerabilities apply to particular combinations of configure options, or only apply to old versions of packages which have long since been updated in BLFS.

BLFS differs from distributions—there is no BLFS security team, and the editors only become aware of vulnerabilities after they are public knowledge. Sometimes, a package with a vulnerability will not be updated in the book for a long time. Issues can be logged in the Trac system, which might speed up resolution.

The normal way for BLFS to fix a vulnerability is, ideally, to update the book to a new fixed release of the package. Sometimes that happens even before the vulnerability is public knowledge, so there is no guarantee that it will be shown as a vulnerability fix in the Changelog. Alternatively, a sed command, or a patch taken from a distribution, may be appropriate.

The bottom line is that you are responsible for your own security, and for assessing the potential impact of any problems.

The editors now issue Security Advisories for packages in BLFS (and LFS), which can be found at BLFS Security Advisories, and grade the severity according to what upstream reports, or to what is shown at if that has details.

To keep track of what is being discovered, you may wish to follow the security announcements of one or more distributions. For example, Debian has Debian security. Fedora's links on security are at the Fedora wiki. Details of Gentoo linux security announcements are discussed at Gentoo security. Finally, the Slackware archives of security announcements are at Slackware security.

The most general English source is perhaps the Full Disclosure Mailing List, but please read the comment on that page. If you use other languages you may prefer other sites such as (German) or (Croatian). These are not linux-specific. There is also a daily update at for subscribers (free access to the data after 2 weeks, but their vulnerabilities database at is unrestricted).

For some packages, subscribing to their 'announce' lists will provide prompt news of newer versions.


Introduction to make-ca

Public Key Infrastructure (PKI) is a method to validate the authenticity of an otherwise unknown entity across untrusted networks. PKI works by establishing a chain of trust, rather than trusting each individual host or entity explicitly. In order for a certificate presented by a remote entity to be trusted, that certificate must present a complete chain of certificates that can be validated using the root certificate of a Certificate Authority (CA) that is trusted by the local machine.

Establishing trust with a CA involves validating things like company address, ownership, contact information, etc., and ensuring that the CA has followed best practices, such as undergoing periodic security audits by independent investigators and maintaining an always available certificate revocation list. This is well outside the scope of BLFS (as it is for most Linux distributions). The certificate store provided here is taken from the Mozilla Foundation, who have established very strict inclusion policies described here.

This package is known to build and work properly using an LFS 12.1 platform.

Package Information


This package ships a CA certificate for validating the identity of If the trust chain of this website has been changed after the release of make-ca-1.13, it may fail to get the revision of certdata.txt from server. Use an updated make-ca release at the release page if this issue happens.

make-ca Dependencies


p11-kit-0.25.3 (runtime, built after libtasn1-4.19.0, required in the following instructions to generate certificate stores from trust anchors, and each time make-ca is run)

Optional (runtime)

nss-3.98 (to generate a shared NSSDB)

Installation of make-ca and Generation of the CA-certificates stores

The make-ca script will download and process the certificates included in the certdata.txt file for use as trust anchors for the p11-kit-0.25.3 trust module. Additionally, it will generate system certificate stores used by BLFS applications (if the recommended and optional applications are present on the system). Any local certificates stored in /etc/ssl/local will be imported to both the trust anchors and the generated certificate stores (overriding Mozilla's trust). Additionally, any modified trust values will be copied from the trust anchors to /etc/ssl/local prior to any updates, preserving custom trust values that differ from Mozilla when using the trust utility from p11-kit to operate on the trust store.

To install the various certificate stores, first install the make-ca script into the correct location. As the root user:

make install &&
install -vdm755 /etc/ssl/local


Technically, this package is already installed at this point. But most packages listing make-ca as a dependency actually require the system certificate store set up by this package, rather than the make-ca program itself. So the instructions for using make-ca for setting up the system certificate store are included in this section. You should make sure the required runtime dependency for make-ca is satisfied now, and continue to follow the instructions.

As the root user, download the certificate source and prepare for system use with the following command:


If running the script a second time with the same version of certdata.txt, for instance, to update the stores when make-ca is upgraded, or to add additional stores as the requisite software is installed, replace the -g switch with the -r switch in the command line. If packaging, run make-ca --help to see all available command line options.

/usr/sbin/make-ca -g

You should periodically update the store with the above command, either manually, or via a systemd timer. A timer is installed at /usr/lib/systemd/system/update-pki.timer that, if enabled, will check for updates weekly. Execute the following commands, as the root user, to enable the systemd timer:

systemctl enable update-pki.timer

Configuring make-ca

For most users, no additional configuration is necessary, however, the default certdata.txt file provided by make-ca is obtained from the mozilla-release branch, and is modified to provide a Mercurial revision. This will be the correct version for most systems. There are several other variants of the file available for use that might be preferred for one reason or another, including the files shipped with Mozilla products in this book. RedHat and OpenSUSE, for instance, use the version included in nss-3.98. Additional upstream downloads are available at the links included in /etc/make-ca/make-ca.conf.dist. Simply copy the file to /etc/make-ca.conf and edit as appropriate.

About Trust Arguments

There are three trust types that are recognized by the make-ca script, SSL/TLS, S/Mime, and code signing. For OpenSSL, these are serverAuth, emailProtection, and codeSigning respectively. If one of the three trust arguments is omitted, the certificate is neither trusted, nor rejected for that role. Clients that use OpenSSL or NSS encountering this certificate will present a warning to the user. Clients using GnuTLS without p11-kit support are not aware of trusted certificates. To include this CA into the ca-bundle.crt, email-ca-bundle.crt, or objsign-ca-bundle.crt files (the GnuTLS legacy bundles), it must have the appropriate trust arguments.

Adding Additional CA Certificates

The /etc/ssl/local directory is available to add additional CA certificates to the system trust store. This directory is also used to store certificates that were added to or modified in the system trust store by p11-kit-0.25.3 so that trust values are maintained across upgrades. Files in this directory must be in the OpenSSL trusted certificate format. Certificates imported using the trust utility from p11-kit-0.25.3 will utilize the x509 Extended Key Usage values to assign default trust values for the system anchors.

If you need to override trust values, or otherwise need to create an OpenSSL trusted certificate manually from a regular PEM encoded file, you need to add trust arguments to the openssl command, and create a new certificate. For example, using the CAcert roots, if you want to trust both for all three roles, the following commands will create appropriate OpenSSL trusted certificates (run as the root user after Wget-1.21.4 is installed):

wget &&
wget &&
openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
        > /etc/ssl/local/CAcert_Class_1_root.pem &&
openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
        -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
        > /etc/ssl/local/CAcert_Class_3_root.pem &&
/usr/sbin/make-ca -r

Overriding Mozilla Trust

Occasionally, there may be instances where you don't agree with Mozilla's inclusion of a particular certificate authority. If you'd like to override the default trust of a particular CA, simply create a copy of the existing certificate in /etc/ssl/local with different trust arguments. For example, if you'd like to distrust the "Makebelieve_CA_Root" file, run the following commands:

openssl x509 -in /etc/ssl/certs/Makebelieve_CA_Root.pem \
             -text \
             -fingerprint \
             -setalias "Disabled Makebelieve CA Root" \
             -addreject serverAuth \
             -addreject emailProtection \
             -addreject codeSigning \
       > /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &&
/usr/sbin/make-ca -r

Using make-ca with Python3

When Python3 was installed in LFS it included the pip3 module with vendored certificates from the Certifi module. That was necessary, but it means that whenever pip3 is used it can reference those certificates, primarily when creating a virtual environment or when installing a module with all its wheel dependencies in one go.

It is generally considered that the System Administrator should be in charge of which certificates are available. Now that make-ca-1.13 and p11-kit-0.25.3 have been installed and make-ca has been configured, it is possible to make pip3 use the system certificates.

The vendored certificates installed in LFS are a snapshot from when the pulled-in version of Certifi was created. If you regularly update the system certificates, the vendored version will become out of date.

To use the system certificates in Python3 you should set _PIP_STANDALONE_CERT to point to them, e.g for the bash shell:

export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt


If you have created virtual environments, for example when testing modules, and those include the Requests and Certifi modules in ~/.local/lib/python3.11/ then those local modules will be used instead of the system certificates unless you remove the local modules.

To use the system certificates in Python3 with the BLFS profiles add the following variable to your system or personal profiles:

mkdir -pv /etc/profile.d &&
cat > /etc/profile.d/ << "EOF"
# Begin /etc/profile.d/

export _PIP_STANDALONE_CERT=/etc/pki/tls/certs/ca-bundle.crt

# End /etc/profile.d/


Installed Programs: make-ca
Installed Directories: /etc/ssl/{certs,local} and /etc/pki/{nssdb,anchors,tls/{certs,java}}

Short Descriptions


is a shell script that adapts a current version of certdata.txt, and prepares it for use as the system trust store


Introduction to CrackLib

The CrackLib package contains a library used to enforce strong passwords by comparing user selected passwords to words in chosen word lists.

This package is known to build and work properly using an LFS 12.1 platform.

Package Information

Additional Downloads

Recommended word list for English-speaking countries:

There are additional word lists available for download, e.g., from CrackLib can utilize as many, or as few word lists you choose to install.


Users tend to base their passwords on regular words of the spoken language, and crackers know that. CrackLib is intended to filter out such bad passwords at the source using a dictionary created from word lists. To accomplish this, the word list(s) for use with CrackLib must be an exhaustive list of words and word-based keystroke combinations likely to be chosen by users of the system as (guessable) passwords.

The default word list recommended above for downloading mostly satisfies this role in English-speaking countries. In other situations, it may be necessary to download (or even create) additional word lists.

Note that word lists suitable for spell-checking are not usable as CrackLib word lists in countries with non-Latin based alphabets, because of word-based keystroke combinations that make bad passwords.

Installation of CrackLib

Install CrackLib by running the following commands:

autoreconf -fiv &&

PYTHON=python3               \
./configure --prefix=/usr    \
            --disable-static \
            --with-default-dict=/usr/lib/cracklib/pw_dict &&

Now, as the root user:

make install

Issue the following commands as the root user to install the recommended word list and create the CrackLib dictionary. Other word lists (text based, one word per line) can also be used by simply installing them into /usr/share/dict and adding them to the create-cracklib-dict command.

install -v -m644 -D    ../cracklib-words-2.9.11.xz \
                         /usr/share/dict/cracklib-words.xz    &&

unxz -v                  /usr/share/dict/cracklib-words.xz    &&
ln -v -sf cracklib-words /usr/share/dict/words                &&
echo $(hostname) >>      /usr/share/dict/cracklib-extra-words &&
install -v -m755 -d      /usr/lib/cracklib                    &&

create-cracklib-dict     /usr/share/dict/cracklib-words \

If desired, check the proper operation of the library as an unprivileged user by issuing the following command:

make test


If you are installing CrackLib after your LFS system has been completed and you have the Shadow package installed, you must reinstall Shadow-4.14.5 if you wish to provide strong password support on your system. If you are now going to install the Linux-PAM-1.6.0 package, you may disregard this note as Shadow will be reinstalled after the Linux-PAM installation.

Command Explanations

autoreconf -fiv: The configure script shipped with the package is too old to get the right version string of Python 3.10 or later. This command regenerates it with a more recent version of autotools, which fixes the issue.

PYTHON=python3: This forces the installation of python bindings for Python 3, even if Python 2 is installed.

--with-default-dict=/usr/lib/cracklib/pw_dict: This parameter forces the installation of the CrackLib dictionary to the /lib hierarchy.

--disable-static: This switch prevents installation of static versions of the libraries.

install -v -m644 -D ...: This command creates the /usr/share/dict directory (if it doesn't already exist) and installs the compressed word list there.

ln -v -s cracklib-words /usr/share/dict/words: The word list is linked to /usr/share/dict/words as historically, words is the primary word list in the /usr/share/dict directory. Omit this command if you already have a /usr/share/dict/words file installed on your system.

echo $(hostname) >>...: The value of hostname is echoed to a file called cracklib-extra-words. This extra file is intended to be a site specific list which includes easy to guess passwords such as company or department names, user names, product names, computer names, domain names, etc.

create-cracklib-dict ...: This command creates the CrackLib dictionary from the word lists. Modify the command to add any additional word lists you have installed.


Installed Programs: cracklib-check, cracklib-format, cracklib-packer, cracklib-unpacker, cracklib-update, and create-cracklib-dict
Installed Libraries: and the (Python module)
Installed Directories: /usr/lib/cracklib, /usr/share/dict and /usr/share/cracklib

Short Descriptions


is used to determine if a password is strong


is used to format text files (lowercases all words, removes control characters and sorts the lists)


creates a database with words read from standard input


displays on standard output the database specified


is used to create the CrackLib dictionary from the given word list(s)

provides a fast dictionary lookup method for strong password enforcement


Introduction to cryptsetup

cryptsetup is used to set up transparent encryption of block devices using the kernel crypto API.

This package is known to build and work properly using an LFS 12.1 platform.

Package Information

cryptsetup Dependencies


JSON-C-0.17, LVM2-2.03.23, and popt-1.19


asciidoctor-2.0.20, libpwquality-1.4.5, argon2, libssh, and passwdqc

Kernel Configuration

Encrypted block devices require kernel support. To use it, the appropriate kernel configuration parameters need to be set:

Device Drivers --->
  [*] Multiple devices driver support (RAID and LVM) --->                   [MD]
    <*/M> Device mapper support                                     [BLK_DEV_DM]
    <*/M>   Crypt target support                                      [DM_CRYPT]

-*- Cryptographic API --->                                              [CRYPTO]
  Block ciphers --->
    <*/M> AES (Advanced Encryption Standard)                        [CRYPTO_AES]
    # For tests:
    <*/M> Twofish                                               [CRYPTO_TWOFISH]
  Length-preserving ciphers and modes --->
    <*/M> XTS (XOR Encrypt XOR with ciphertext stealing)            [CRYPTO_XTS]
  Hashes, digests, and MACs --->
    <*/M> SHA-224 and SHA-256                                    [CRYPTO_SHA256]
  Userspace interface --->
    <*/M> Symmetric key cipher algorithms             [CRYPTO_USER_API_SKCIPHER]

Installation of cryptsetup

Install cryptsetup by running the following commands:

./configure --prefix=/usr       \
            --disable-ssh-token \
            --disable-asciidoc  &&

To test the result, issue as the root user: make check. Some tests will fail if appropriate kernel configuration options are not set. Some additional options that may be needed for tests are:


Now, as the root user:

make install

Command Explanations

--disable-ssh-token: This switch is required if the optional libssh dependency is not installed.

--disable-asciidoc: This switch disables regeneration of the man pages. Remove this switch if you have asciidoctor-2.0.20 installed and wish to regenerate the man pages. Note that even if this switch is used, the pre-generated man pages are shipped in the tarball and they'll still be installed.

Configuring cryptsetup

Because of the number of possible configurations, setup of encrypted volumes is beyond the scope of the BLFS book. Please see the configuration guide in the cryptsetup FAQ.


Installed Programs: cryptsetup, cryptsetup-reencrypt, integritysetup, and veritysetup
Installed Libraries:
Installed Directories: None

Short Descriptions


is used to setup dm-crypt managed device-mapper mappings


is a tool for offline LUKS device re-encryption


is a tool to manage dm-integrity (block level integrity) volumes


is used to configure dm-verity managed device-mapper mappings. The Device-mapper verity target provides read-only transparent integrity checking of block devices using the kernel crypto API

Cyrus SASL-2.1.28

Introduction to Cyrus SASL

The Cyrus SASL package contains a Simple Authentication and Security Layer implementation, a method for adding authentication support to connection-based protocols. To use SASL, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection.

This package is known to build and work properly using an LFS 12.1 platform.

Package Information

Cyrus SASL Dependencies


Linux-PAM-1.6.0, MIT Kerberos V5-1.21.2, MariaDB-10.11.7 or MySQL, OpenLDAP-2.6.7, PostgreSQL-16.2, sphinx-7.2.6, SQLite-3.45.1, Berkeley DB (deprecated), krb4, Dmalloc, and Pod::POM::View::Restructured

Installation of Cyrus SASL


This package does not support parallel build.

Install Cyrus SASL by running the following commands:

./configure --prefix=/usr        \
            --sysconfdir=/etc    \
            --enable-auth-sasldb \
            --with-dblib=lmdb    \
            --with-dbpath=/var/lib/sasl/sasldb2 \
            --with-sphinx-build=no              \
            --with-saslauthd=/var/run/saslauthd &&
make -j1

This package does not come with a test suite. If you are planning on using the GSSAPI authentication mechanism, test it after installing the package using the sample server and client programs which were built in the preceding step. Instructions for performing the tests can be found at

Now, as the root user:

make install &&
install -v -dm755                          /usr/share/doc/cyrus-sasl-2.1.28/html &&
install -v -m644  saslauthd/LDAP_SASLAUTHD /usr/share/doc/cyrus-sasl-2.1.28      &&
install -v -m644  doc/legacy/*.html        /usr/share/doc/cyrus-sasl-2.1.28/html &&
install -v -dm700 /var/lib/sasl

Command Explanations

--with-dbpath=/var/lib/sasl/sasldb2: This switch forces the sasldb database to be created in /var/lib/sasl instead of /etc.

--with-saslauthd=/var/run/saslauthd: This switch forces saslauthd to use the FHS compliant directory /var/run/saslauthd for variable run-time data.

--enable-auth-sasldb: This switch enables SASLDB authentication backend.

--with-dblib=gdbm: This switch forces GDBM to be used instead of LMDB.

--with-ldap: This switch enables the OpenLDAP support.

--enable-ldapdb: This switch enables the LDAPDB authentication backend.

--enable-login: This option enables unsupported LOGIN authentication.

--enable-ntlm: This option enables unsupported NTLM authentication.

install -v -m644 ...: These commands install documentation which is not installed by the make install command.

install -v -m700 -d /var/lib/sasl: This directory must exist when starting saslauthd or using the sasldb plugin. If you're not going to be running the daemon or using the plugins, you may omit the creation of this directory.

Configuring Cyrus SASL

Config Files

/etc/saslauthd.conf (for saslauthd LDAP configuration) and /etc/sasl2/Appname.conf (where "Appname" is the application defined name of the application)

Configuration Information

See for information on what to include in the application configuration files.

See file:///usr/share/doc/cyrus-sasl-2.1.28/LDAP_SASLAUTHD for configuring saslauthd with OpenLDAP.

See for configuring saslauthd with Kerberos.

Systemd Unit

If you need to run the saslauthd daemon at system startup, install the saslauthd.service unit included in the blfs-systemd-units-20240205 package using the following command:

make install-saslauthd


You'll need to modify /etc/default/saslauthd and modify the MECHANISM parameter with your desired authentication mechanism. The default authentication mechanism is "shadow".


Installed Programs: pluginviewer, saslauthd, sasldblistusers2, saslpasswd2 and testsaslauthd
Installed Library:
Installed Directories: /usr/include/sasl, /usr/lib/sasl2, /usr/share/doc/cyrus-sasl-2.1.28 and /var/lib/sasl

Short Descriptions


is used to list loadable SASL plugins and their properties


is the SASL authentication server


is used to list the users in the SASL password database sasldb2


is used to set and delete a user's SASL password and mechanism specific secrets in the SASL password database sasldb2


is a test utility for the SASL authentication server

is a general purpose authentication library for server and client applications


Introduction to GnuPG

The GnuPG package is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440 and the S/MIME standard as described by several RFCs. GnuPG 2 is the stable version of GnuPG integrating support for OpenPGP and S/MIME.

This package is known to build and work properly using an LFS 12.1 platform.

Package Information

GnuPG 2 Dependencies


libassuan-2.5.6, libgcrypt-1.10.3, libksba-1.6.5, npth-1.6, and OpenLDAP-2.6.7


cURL-8.6.0, Fuse-3.16.2, ImageMagick-7.1.1-28 (for the convert utility, used for generating the documentation), libusb-1.0.27, an MTA, SQLite-3.45.1, texlive-20230313 (or install-tl-unx), fig2dev (for generating documentation), and GNU adns

Installation of GnuPG

Install GnuPG by running the following commands:

mkdir build &&
cd    build &&

../configure --prefix=/usr           \
             --localstatedir=/var    \
             --sysconfdir=/etc       \
             --docdir=/usr/share/doc/gnupg-2.4.4 &&
make &&

makeinfo --html --no-split -I doc -o doc/gnupg_nochunks.html ../doc/gnupg.texi &&
makeinfo --plaintext       -I doc -o doc/gnupg.txt           ../doc/gnupg.texi &&
make -C doc html

If you have texlive-20230313 installed and you wish to create documentation in alternate formats, issue the following command (fig2dev is needed for the ps format), but note that this process fails due to missing files:

make -C doc pdf ps

To test the results, issue: make check.

Now, as the root user:

make install &&

install -v -m755 -d /usr/share/doc/gnupg-2.4.4/html            &&
install -v -m644    doc/gnupg_nochunks.html \
                    /usr/share/doc/gnupg-2.4.4/html/gnupg.html &&
install -v -m644    ../doc/*.texi doc/gnupg.txt \
                    /usr/share/doc/gnupg-2.4.4 &&
install -v -m644    doc/gnupg.html/* \

If you created alternate formats of the documentation, install them using the following command as the root user:

install -v -m644 doc/gnupg.{pdf,dvi,ps} \

Command Explanations

mkdir build && cd build: the Gnupg2 developers recommend to build the package in a dedicated directory.

--docdir=/usr/share/doc/gnupg-2.4.4: This switch changes the default docdir to /usr/share/doc/gnupg-2.4.4.

--enable-all-tests: This switch allows more tests to be run with make check.

--enable-g13: This switch enables building the g13 program.


Installed Programs: addgnupghome, applygnupgdefaults, dirmngr, dirmngr-client, g13 (optional), gpg-agent, gpg-card, gpg-connect-agent, gpg, gpgconf, gpgparsemail, gpgscm, gpgsm, gpgsplit, gpgtar, gpgv, gpg-wks-client, gpg-wks-server, kbxutil, and watchgnupg
Installed Libraries: None
Installed Directories: /usr/share/doc/gnupg-2.4.4 and /usr/share/gnupg

Short Descriptions


is used to create and populate a user's ~/.gnupg directories


is a wrapper script used to run gpgconf with the --apply-defaults parameter on all user's GnuPG home directories


is a tool that takes care of accessing the OpenPGP keyservers


is a tool to contact a running dirmngr and test whether a certificate has been revoked


is a tool to create, mount or unmount an encrypted file system container (optional)


is a daemon used to manage secret (private) keys independently from any protocol. It is used as a backend for gpg and gpgsm as well as for a couple of other utilities


is a tool to manage smart cards and tokens


is a utility used to communicate with a running gpg-agent


is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool used to provide digital encryption and signing services using the OpenPGP standard


is a utility used to automatically and reasonably safely query and modify configuration files in the ~/.gnupg home directory. It is designed not to be invoked manually by the user, but automatically by graphical user interfaces


is a utility currently only useful for debugging. Run it with --help for usage information


executes the given scheme program or spawns an interactive shell


is a tool similar to gpg used to provide digital encryption and signing services on X.509 certificates and the CMS protocol. It is mainly used as a backend for S/MIME mail processing


splits an OpenPGP message into packets


is a tool to encrypt or sign files into an archive


is a verify only version of gpg


is a client for the Web Key Service protocol


provides a server for the Web Key Service protocol


is used to list, export and import Keybox data


is used to listen to a Unix Domain socket created by any of the GnuPG tools


Introduction to GnuTLS

The GnuTLS package contains libraries and userspace tools which provide a secure layer over a reliable transport layer. Currently the GnuTLS library implements the proposed standards by the IETF's TLS working group. Quoting from the TLS 1.3 protocol specification :

TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.

GnuTLS provides support for TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0, and (optionally) SSL 3.0 protocols. It also supports TLS extensions, including server name and max record size. Additionally, the library supports authentication using the SRP protocol, X.509 certificates, and OpenPGP keys, along with support for the TLS Pre-Shared-Keys (PSK) extension, the Inner Application (TLS/IA) extension, and X.509 and OpenPGP certificate handling.

This package is known to build and work properly using an LFS 12.1 platform.

Package Information

GnuTLS Dependencies




Brotli-1.1.0, Doxygen-1.10.0, GTK-Doc-1.33.2, libidn-1.42 or libidn2-2.3.7, libseccomp-2.5.5, Net-tools-2.10 (used during the test suite), texlive-20230313 or install-tl-unx, Unbound-1.19.1 (to build the DANE library), Valgrind-3.22.0 (used during the test suite), autogen, cmocka and datefudge (used during the test suite if the DANE library is built), and Trousers (Trusted Platform Module support)


Note that if you do not install libtasn1-4.19.0, a version shipped in the GnuTLS tarball will be used instead.

Installation of GnuTLS

Install GnuTLS by running the following commands:

./configure --prefix=/usr \
            --docdir=/usr/share/doc/gnutls-3.8.3 \
            --with-default-trust-store-pkcs11="pkcs11:" &&

To test the results, issue: make check.

Now, as the root user:

make install

Command Explanations

--with-default-trust-store-pkcs11="pkcs11:": This switch tells gnutls to use the PKCS #11 trust store as the default trust. Omit this switch if p11-kit-0.25.3 is not installed.

--with-default-trust-store-file=/etc/pki/tls/certs/ca-bundle.crt: This switch tells configure where to find the legacy CA certificate bundle and to use it instead of PKCS #11 module by default. Use this if p11-kit-0.25.3 is not installed.

--enable-gtk-doc: Use this parameter if GTK-Doc is installed and you wish to rebuild and install the API documentation.

--enable-openssl-compatibility: Use this switch if you wish to build the OpenSSL compatibility library.

--without-p11-kit: use this switch if you have not installed p11-kit.

--with-included-unistring: uses the bundled version of libunistring, instead of the system one. Use this switch if you have not installed libunistring-1.1.


Installed Programs: certtool, danetool, gnutls-cli, gnutls-cli-debug, gnutls-serv, ocsptool, p11tool, psktool, and srptool
Installed Libraries:,,, (optional), and /usr/lib/guile/3.0/extensions/
Installed Directories: /usr/include/gnutls, /usr/lib/guile/3.0/site-ccache/gnutls, /usr/share/guile/site/3.0/gnutls, and /usr/share/doc/gnutls-3.8.3

Short Descriptions


is used to generate X.509 certificates, certificate requests, and private keys


is a tool used to generate and check DNS resource records for the DANE protocol


is a simple client program to set up a TLS connection to some other computer


is a simple client program to set up a TLS connection to some other computer and produces very verbose progress results


is a simple server program that listens to incoming TLS connections


is a program that can parse and print information about OCSP requests/responses, generate requests and verify responses


is a program that allows handling data from PKCS #11 smart cards and security modules


is a simple program that generates random keys for use with TLS-PSK


is a simple program that emulates the programs in the Stanford SRP (Secure Remote Password) libraries using GnuTLS

contains the core API functions and X.509 certificate API functions


Introduction to GPGME

The GPGME package is a C library that allows cryptography support to be added to a program. It is designed to make access to public key crypto engines like GnuPG or GpgSM easier for applications. GPGME provides a high-level crypto API for encryption, decryption, signing, signature verification and key management.

This package is known to build and work properly using an LFS 12.1 platform.

Package Information

GPGME Dependencies




Doxygen-1.10.0 and Graphviz-10.0.1 (for API documentation), GnuPG-2.4.4 (required if Qt or SWIG are installed; used during the test suite), Clisp-2.49, (Qt-5.15.12 or qt-alternate-5.15.12), and SWIG-4.2.0 (for language bindings)

Installation of GPGME

Install GPGME by running the following commands:

mkdir build &&
cd    build &&

../configure --prefix=/usr --disable-gpg-test &&

If SWIG-4.2.0 is installed, build the Python 3 binding as a wheel:

if swig -version > /dev/null; then
  srcdir=$PWD/../lang/python \
  top_builddir=$PWD          \
  pip3 wheel -w dist --no-build-isolation --no-deps --no-cache-dir $PWD/lang/python

To test the results, you should have GnuPG-2.4.4 installed and remove the --disable-gpg-test above. If SWIG-4.2.0 is installed, it's necessary to adapt the test suite to use the Python 3 binding just built as a wheel as well. Issue:

if swig -version > /dev/null; then
  python3 -m venv testenv                                              &&
  testenv/bin/pip3 install --no-index --find-links=dist --no-cache-dir \
                           gpg                                         &&
  sed '/PYTHON/ --python-libdir=/dev/null#'            \
      -i lang/python/tests/Makefile
fi &&

make -k check PYTHONS= PYTHON=$PWD/testenv/bin/python3

Now, as the root user:

make install PYTHONS=

If SWIG-4.2.0 is installed, still as the root user, install the Python 3 binding:

if swig -version > /dev/null; then
  pip3 install --no-index --find-links=dist --no-cache-dir --no-user gpg

Command Explanations

--disable-gpg-test: if this parameter is not passed to configure, the test programs are built during make stage, which requires GnuPG-2.4.4. This parameter is not needed if GnuPG-2.4.4 is installed.

PYTHONS=: Disable building Python binding using the deprecated python3 build command. The explicit instruction to build the Python 3 binding with the pip3 wheel command is provided.


Installed Program: gpgme-json, and gpgme-tool
Installed Libraries:,, and
Installed Directory: /usr/include/{gpgme++,qgpgme,QGpgME}, /usr/lib/cmake/{Gpgmepp,QGpgme}. /usr/lib/python3.12/site-packages/gpg{,-1.23.2.dist-info}, and /usr/share/common-lisp/source/gpgme

Short Descriptions


outputs GPGME commands in JSON format


is an assuan server exposing GPGME operations, such as printing fingerprints and keyids with keyservers

contains the GPGME API functions

contains the C++ GPGME API functions

contains API functions for handling GPG operations in Qt applications


Introduction to iptables

iptables is a userspace command line program used to configure the Linux 2.4 and later kernel packet filtering ruleset.

This package is known to build and work properly using an LFS 12.1 platform.

Package Information

iptables Dependencies


libpcap-1.10.4 (required for BPF compiler or nfsynproxy support), bpf-utils (required for Berkeley Packet Filter support), libnfnetlink (required for connlabel support), libnetfilter_conntrack (required for connlabel support), and nftables

Kernel Configuration

A firewall in Linux is accomplished through the netfilter interface. To use iptables to configure netfilter, the following kernel configuration parameters are required:

[*] Networking support --->                                                [NET]
  Networking options --->
    [*] Network packet filtering framework (Netfilter) --->          [NETFILTER]
      [*] Advanced netfilter configuration                  [NETFILTER_ADVANCED]
      Core Netfilter Configuration --->
        <*/M> Netfilter connection tracking support               [NF_CONNTRACK]
        <*/M> Netfilter Xtables support (required for ip_tables)
                                                        ...  [NETFILTER_XTABLES]
        <*/M>   LOG target support                     [NETFILTER_XT_TARGET_LOG]
      IP: Netfilter Configuration --->
        <*/M> IP tables support (required for filtering/masq/NAT)
                                                           ...  [IP_NF_IPTABLES]

Include any connection tracking protocols that will be used, as well as any protocols that you wish to use for match support under the "Core Netfilter Configuration" section. The above options are enough for running Creating a Personal Firewall With iptables below.

Installation of iptables


The installation below does not include building some specialized extension libraries which require the raw headers in the Linux source code. If you wish to build the additional extensions (if you aren't sure, then you probably don't), you can look at the INSTALL file to see an example of how to change the KERNEL_DIR= parameter to point at the Linux source code. Note that if you upgrade the kernel version, you may also need to recompile iptables and that the BLFS team has not tested using the raw kernel headers.

Install iptables by running the following commands:

./configure --prefix=/usr      \
            --disable-nftables \
            --enable-libipq    &&

This package does not come with a test suite.

Now, as the root user:

make install

Command Explanations

--disable-nftables: This switch disables building nftables compatibility.

--enable-libipq: This switch enables building of which can be used by some packages outside of BLFS.

--enable-nfsynproxy: This switch enables installation of nfsynproxy SYNPROXY configuration tool.

Configuring iptables


In the following example configurations, LAN1 is used for the internal LAN interface, and WAN1 is used for the external interface connected to the Internet. You will need to replace these values with appropriate interface names for your system.

Personal Firewall

A Personal Firewall is designed to let you access all the services offered on the Internet while keeping your computer secure and your data private.

Below is a slightly modified version of Rusty Russell's recommendation from the Linux 2.4 Packet Filtering HOWTO. It is still applicable to the Linux 6.x kernels.

install -v -dm755 /etc/systemd/scripts

cat > /etc/systemd/scripts/iptables << "EOF"

# Begin /etc/systemd/scripts/iptables

# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe nf_conntrack
modprobe xt_LOG

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects

# Do not send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

# Allow local-only connections
iptables -A INPUT  -i lo -j ACCEPT

# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT

# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Log everything else.
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

# End /etc/systemd/scripts/iptables
chmod 700 /etc/systemd/scripts/iptables

This script is quite simple, it drops all traffic coming into your computer that wasn't initiated from your computer, but as long as you are simply surfing the Internet you are unlikely to exceed its limits.

If you frequently encounter certain delays at accessing FTP servers, take a look at BusyBox with iptables example number 4.

Even if you have daemons or services running on your system, these will be inaccessible everywhere but from your computer itself. If you want to allow access to services on your machine, such as ssh or ping, take a look at Creating a BusyBox With iptables.

Masquerading Router

A Network Firewall has two interfaces, one connected to an intranet, in this example LAN1, and one connected to the Internet, here WAN1. To provide the maximum security for the firewall itself, make sure that there are no unnecessary servers running on it such as X11. As a general principle, the firewall itself should not access any untrusted service (think of a remote server giving answers that makes a daemon on your system crash, or even worse, that implements a worm via a buffer-overflow).

install -v -dm755 /etc/systemd/scripts

cat > /etc/systemd/scripts/iptables << "EOF"

# Begin /etc/systemd/scripts/iptables

echo "You're using the example configuration for a setup of a firewall"
echo "from Beyond Linux From Scratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the configuration rules below."

echo "You can find additional information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo ""

# Insert iptables modules (not needed if built into the kernel).

modprobe nf_conntrack
modprobe nf_conntrack_ftp
modprobe xt_conntrack
modprobe xt_LOG
modprobe xt_state

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects

# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

# Allow local connections
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow forwarding if the initiated on the intranet
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW       -j ACCEPT

# Do masquerading
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE

# Log everything for debugging
# (last of all rules, but before policy rules)
iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "

# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# The following sections allow inbound packets for specific examples
# Uncomment the example lines and adjust as necessary

# Allow ping on the external interface
#iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
#iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT

# Reject ident packets with TCP reset to avoid delays with FTP or IRC
#iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset

# Allow HTTP and HTTPS to
#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to
#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to
#iptables -A FORWARD -p tcp -d --dport 80 -j ACCEPT
#iptables -A FORWARD -p tcp -d --dport 443 -j ACCEPT

# End /etc/systemd/scripts/iptables
chmod 700 /etc/systemd/scripts/iptables

With this script your intranet should be reasonably secure against external attacks. No one should be able to setup a new connection to any internal service and, if it's masqueraded, makes your intranet invisible to the Internet. Furthermore, your firewall should be relatively safe because there are no services running that a cracker could attack.


This scenario isn't too different from the Creating a Masquerading Router With iptables, but additionally offers some services to your intranet. Examples of this can be when you want to administer your firewall from another host on your intranet or use it as a proxy or a name server.


Outlining specifically how to protect a server that offers services on the Internet goes far beyond the scope of this document. See the references in the section called “Extra Information” for more information.

Be cautious. Every service you have enabled makes your setup more complex and your firewall less secure. You are exposed to the risks of misconfigured services or running a service with an exploitable bug. A firewall should generally not run any extra services. See the introduction to the Creating a Masquerading Router With iptables for some more details.

If you want to add services such as internal Samba or name servers that do not need to access the Internet themselves, the additional statements are quite simple and should still be acceptable from a security standpoint. Just add the following lines into the script before the logging rules.

iptables -A INPUT  -i ! WAN1  -j ACCEPT
iptables -A OUTPUT -o ! WAN1  -j ACCEPT

If daemons, such as squid, have to access the Internet themselves, you could open OUTPUT generally and restrict INPUT.

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT

However, it is generally not advisable to leave OUTPUT unrestricted. You lose any control over trojans who would like to "call home", and a bit of redundancy in case you've (mis-)configured a service so that it broadcasts its existence to the world.

To accomplish this, you should restrict INPUT and OUTPUT on all ports except those that it's absolutely necessary to have open. Which ports you have to open depends on your needs: mostly you will find them by looking for failed accesses in your log files.

Have a Look at the Following Examples:

  • Squid is caching the web:

    iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT  -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
      -j ACCEPT
  • Your caching name server (e.g., named) does its lookups via UDP:

    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
  • You want to be able to ping your computer to ensure it's still alive:

    iptables -A INPUT  -p icmp -m icmp --icmp-type echo-request -j ACCEPT
    iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply   -j ACCEPT
  • If you are frequently accessing FTP servers or enjoy chatting, you might notice delays because some implementations of these daemons query an identd daemon on your system to obtain usernames. Although there's really little harm in this, having an identd running is not recommended because many security experts feel the service gives out too much additional information.

    To avoid these delays you could reject the requests with a 'tcp-reset' response:

    iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
  • To log and drop invalid packets (packets that came in after netfilter's timeout or some types of network scans) insert these rules at the top of the chain:

    iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
      -j LOG --log-prefix "FIREWALL:INVALID "
    iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP
  • Anything coming from the outside should not have a private address, this is a common attack called IP-spoofing:

    iptables -A INPUT -i WAN1 -s     -j DROP
    iptables -A INPUT -i WAN1 -s  -j DROP
    iptables -A INPUT -i WAN1 -s -j DROP

    There are other addresses that you may also want to drop:,, (multicast and experimental), (Link Local Networks), and (IANA defined test network).

  • If your firewall is a DHCP client, you need to allow those packets:

    iptables -A INPUT  -i WAN1 -p udp -s --sport 67 \
       -d --dport 68 -j ACCEPT
  • To simplify debugging and be fair to anyone who'd like to access a service you have disabled, purposely or by mistake, you could REJECT those packets that are dropped.

    Obviously this must be done directly after logging as the very last lines before the packets are dropped by policy:

    iptables -A INPUT -j REJECT

These are only examples to show you some of the capabilities of the firewall code in Linux. Have a look at the man page of iptables. There you will find much more information. The port numbers needed for this can be found in /etc/services, in case you didn't find them by trial and error in your log file.

Systemd Unit

To set up the iptables firewall at boot, install the iptables.service unit included in the blfs-systemd-units-20240205 package.

make install-iptables


Installed Programs: ip6tables, ip6tables-apply, ip6tables-legacy, ip6tables-legacy-restore, ip6tables-legacy-save, ip6tables-restore, ip6tables-save, iptables, iptables-apply, iptables-legacy, iptables-legacy-restore, iptables-legacy-apply, iptables-restore, iptables-save, iptables-xml, nfsynproxy (optional), and xtables-multi
Installed Libraries:,,,, and
Installed Directories: /lib/xtables and /usr/include/libiptc

Short Descriptions


is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel


is a safer way to update iptables remotely


is used to interact with iptables using the legacy command set


is used to restore a set of legacy iptables rules


is used to save a set of legacy iptables rules


is used to restore IP Tables from data specified on STDIN. Use I/O redirection provided by your shell to read from a file


is used to dump the contents of an IP Table in easily parseable format to STDOUT. Use I/O-redirection provided by your shell to write to a file


is used to convert the output of iptables-save to an XML format. Using the iptables.xslt stylesheet converts the XML back to the format of iptables-restore


are a set of commands for IPV6 that parallel the iptables commands above


(optional) configuration tool. SYNPROXY target makes handling of large SYN floods possible without the large performance penalties imposed by the connection tracking in such cases


is a binary that behaves according to the name it is called by

Setting Up a Network Firewall

Introduction to Firewall Creation

The purpose of a firewall is to protect a computer or a network against malicious access. In a perfect world every daemon or service, on every machine, is perfectly configured and immune to security flaws, and all users are trusted implicitly to use the equipment as intended. However, this is rarely, if ever, the case. Daemons may be misconfigured, or updates may not have been applied for known exploits against essential services. Additionally, you may wish to choose which services are accessible by certain machines or users, or you may wish to limit which machines or applications are allowed external access. Alternatively, you simply may not trust some of your applications or users. For these reasons, a carefully designed firewall should be an essential part of system security.

While a firewall can greatly limit the scope of the above issues, do not assume that having a firewall makes careful configuration redundant, or that any negligent misconfiguration is harmless. A firewall does not prevent the exploitation of any service you offer outside of it. Despite having a firewall, you need to keep applications and daemons properly configured and up to date.

Meaning of the Word "Firewall"

The word firewall can