[RFC] Article on freebsd-update-server

Jason jhelfman at e-e.com
Fri Nov 20 18:17:41 UTC 2009 

On Fri, Nov 20, 2009 at 06:52:26PM +0200, Manolis Kiagias thus spake:
>Giorgos Keramidas wrote:
>> <SNIP> - All changes look fine up to this point
>> :      <note>
>> : -      <para>Note down the generated KeyPrint; this value is entered into
>> : -       <filename>/etc/freebsd-update.conf</filename> for binary
>> : -       updates.</para>
>> : +      <para>Keep a note of the generated key fingerpring.  This value is
>> : +       entered into <filename>/etc/freebsd-update.conf</filename> for
>> : +       binary updates.</para>
>> :      </note>
>>
>> There are various places that the article refers to  "KeyPrint".  I think it
>> means "key fingerpring", but I am not sure.  If that's what the real meaning
>> should be, please use "key fingerprint".
That is correct. It is a "key fingerprint," in this case, and it becomes the
KeyPrint value in /etc/freebsd-update.com
>>
>>
>
>Probably, but we need some input from Jason here. I assume you are right.
>
>> :      <screen>Mon Aug 24 17:54:07 PDT 2009 Extracting world+src for FreeBSD/amd64 7.2-RELEASE
>> : @@ -411,10 +428,7 @@ to sign the release.</screen>
>> :        file named <filename>USAGE</filename>.  Execute
>> :        <filename>scripts/approve.sh</filename>, as directed.  This will sign
>> :        the release, and move components into a staging area suitable for
>> : -      uploading.  It is important to make sure that your key is mounted
>> : -      during this process.  A simple <command>df</command> will show if it
>> : -      is mounted.  If not mounted, mount the key with the passphrase supplied
>> : -      when creating it earlier.</para>
>> : +      uploading.</para>
>>
>> I don't know where the key mounting bits come from.  It seems to refer to
>> those FreeBSD installations where PGP keys are stored in removable media, like
>> a USB flash disk.  Why do we have to explicitly mention this here?  After all,
>> we don't describe how gpg-agent(1) works, or how seahorse(1) integrates PGP
>> with Gnome, or any other case of the dozens of PGP setups possible...

In order to a sign a release, the key generated at the beginning of the
process needs to be mounted in order to properly approve the release and
update to code so it will work for updates. If the key is not mounted,
approving the release won't work, and then updates can't be uploaded.

>>
>>
>
>Same here, I am not really sure what the key mounting refers to.
>
>> : @@ -524,9 +547,11 @@ Wed Aug 26 12:50:07 PDT 2009 Cleaning st
>> :      <note>
>> :        <para>When running a patch level build, we are assuming that previous
>> :         patches are in place.  When a patch build is run, it will run all
>> : -       patches less than or equal to the number specified.  Beyond this,
>> : -       you will have to take appropriate measures to verify authenticity
>> : -       of the patch.</para>
>> : +       patches less than or equal to the number specified.</para>
>> : +
>> : +      <para><emphasis>It is up to the administrator of the freebsd-update
>> : +         server to take appropriate measures to verify the authenticity of
>> : +         every patch.</emphasis></para>
>>
>> I think we ought to emphasize a bit the part about patch authenticity, but I
>> am not sure if I chose the right way to do this.
>>
>>
>
>Or maybe use <warning> around it?
>
>> : -    <para>Follow the same process as noted before for appoving a build.</para>
>> : +    <para>Follow the same process as noted before for approving a build:</para>
>>
>> Typo.
>>
>> There are more changes, in the attached patch.  Most of them are attempts to
>> improve the wording of various small parts of the article.  Please see the
>> attached diff for all of them.
>>
>>
>
>The patch has been applied, the new version is available in mercurial
>and also uploaded again to freefall.
>
>> One more important detail.  We are still discussing at doceng@ how we can
>> bring the final article into CVS.  So, please hold from committing this, until
>> we have resolved all the remaining details.
>>
>>
>
>Yes, I am aware of this.
>Jason has thought of something like this (copied from email):
>
><sect1 id="afterword">
>    <title>Afterword</title>
>
>    <para>This <ulink
>url="http://www.experts-exchange.com/articles/OS/Unix/BSD/FreeBSD/Build-Your-Own-FreeBSD-Update-Server.html">FreeBSD
>
>Update </ulink> article was originally published at <ulink
>url="http://www.experts-exchange.com">Experts-Exchange</ulink>.</para>
></sect1>
>
>and I thought we could turn this into  something like "Acknowledgements
>/ Further Reading" section (will probably need to be expanded a bit).
>Does this make any sense?
>
>> I'm sure that a lot of people will love reading an article that describes in
>> detail how to set up a local freebsd-update server.  Thanks for all the work
>> done so far on what seems to be an excellent article! :-D
>>
>
>And we thank you for the thorough review :)
>
Thank you and I will take a look at the included file.

Jason

More information about the freebsd-doc mailing list