freebsd-update defaults and restrictions

Gayn Winters gayn.winters at
Mon Jan 2 19:15:35 PST 2006

Colin Percival's freebsd-update utility has a number of options/flags
that I can't figure out from
man freebsd-update or
man freebsd-update.conf or

freebsd-update [-b basedir] [--branch branchname] [-k KEY] command [URL]

-b basedir "Act on a FreeBSD world based at ... basedir"  
What does this mean?  If omitted, what is the default?

--branch branchname  Possibilities are nocrypto, crypto, ... .
The example in Bejtlich's paper 
doesn't use --branch, and yet he implies the default is crypto and that
most installations need crypto.  Is the default crypto?  How would I
know what I need?

-k KEY  "A public key with a given MD5 hash"
URL     "The URL from which updates are fetched"

The above two can also be specified in freebsd-update.conf and the
sample file has URL pointing to (Colin's web
server).  Bejtlich states that the KEY and the URL in the .conf file are
cooked to get updates from Colin's site, and to use the sample file "if
you trust [Colin] to securely build binary updates for you to blindly
install ..."  Aside from Bejtlich's obvious tongue-in-cheek negativity
(they are both security guys after all, and Colin is the FreeBSD
security officer), are there other possible sites for updates?  How do I
figure out a correct value for KEY if I know the URL?  Incidentally, the
KEY and the URL are required, since they either need to be specified on
the command line as in the above syntax or via the configuration file.

Finally, freebsd-update must operate on a GENERIC kernel, but does this
mean I can still use device.hints?

Any help would be greatly appreciated.


Bristol Systems Inc.

More information about the freebsd-questions mailing list