Secure updating of OS and ports

Colin Percival colin.percival at wadham.ox.ac.uk
Mon Nov 17 09:44:15 PST 2003


At 06:02 17/11/2003 -0800, Carol Overes wrote:
>I'm thinking of updating kernel and binaries with
>patches form ftp.freebsd.org which are siganed with
>the PGP key of the security officers. However, this
>has to be hand-made patching. Does anyone know a
>secure way via for example cvsup ?

   CVSup is insecure.  FreeBSD Update might do what you want, but you'd 
have to trust me. :)

>Also, I'm looking for a secure way to update ports
>applications. How can I check that patches for ports
>doesn't contain any trojans for example, or are coming
>from the original source.

   There isn't any way to update the ports tree securely.  I'd like to fix 
this, but at the moment I need to give priority to my DPhil work, so it 
probably isn't going to happen in the near future.

Colin Percival




More information about the freebsd-stable mailing list