freebsd-update defaults and restrictions
taosecurity at gmail.com
Fri Jan 20 19:51:48 PST 2006
Gayn Winters wrote:
> Bejtlich states that the KEY and the URL in the .conf file are
> cooked to get updates from Colin's site, and to use the sample file "if
> you trust [Colin] to securely build binary updates for you to blindly
> install ..." Aside from Bejtlich's obvious tongue-in-cheek negativity
> (they are both security guys after all, and Colin is the FreeBSD
> security officer), are there other possible sites for updates?
If you take a look at the text you're quoting, you'll notice that it's
output from installing freebsd-update. I did not need to apply any
"obvious tongue-in-cheek negativity" in my article -- those are
Colin's words! I have the utmost respect for Colin; he's been very
helpful in the community.
Also, when I wrote the original article (Dec 04), Colin was not the
security officer. That didn't happen until Aug 05, which is still
after the date on the current article (Apr 05).
For the latest info, you might like to read my article published in
the Feb 06 Sys Admin magazine on Keeping FreeBSD Up-to-Date.
To your questions -- I don't know of any sites beyond Colin's that
provide updates at this time. If we see freebsd-update moved into the
base system, I expect to see freebsd.org mirrors carrying them. It
would be nice to have updates for non-i386 platforms, too.
I defer to Colin for your other queries.
More information about the freebsd-questions