Downloading 10.2-RELEASE-p10 source without prayer

Matthew Seaman matthew at freebsd.org
Wed Jan 20 17:26:10 UTC 2016 

On 01/20/16 16:58, mfv wrote:
>> On Wed, 2016-01-20 at 08:20 Matthew Seaman <matthew at FreeBSD.org>
>> wrote:
>>
>> On 20/01/2016 01:30, Chris Stankevitz wrote:
>>> On Tue, Jan 19, 2016 at 4:45 PM, Chris Stankevitz
>>> <chrisstankevitz at gmail.com> wrote:  
>>>>> Of course I'm being sarcastic about the prayer... but is there a
>>>>> way (a tarball or special SVN tag/branch) to get the "official"
>>>>> 10.2-RELEASE-p10 code?  What do the freebsd-update servers use?  
>>
>>> I could just look at "svn log -l 1" and see if it jives more or less
>>> with the most recent freebsd-announce email.  
>>
>> Depends how paranoid you want to be.
>>
>> If you download one of the DVD installation images, that should include
>> base system sources and will have offline checksums that you can
>> verify.
>>
>> You can then apply the patches from all of the SAs and ENs published
>> since, all of which are digitally signed.  That's probably as good as
>> you can get in ensuring you've got authentic, untampered sources.
>>
>> Most people would find it good enough to use eg. freebsd-update -- the
>> updates are cryptographically signed, so you can be reasonably certain
>> that what it installs on your system is the same as what it has on the
>> servers.  It does use a pretty direct connection to the master SVN
>> repository for obtaining the code it builds from, but you generally
>> have to trust that it is using unadulterated sources itself.
>> freebsd-update can maintain a copy of /usr/src for you.
>>
>> Or else you can just checkout the RELENG-10 branch from one of the SVN
>> mirrors:
>>
>> # cd /usr
>> # svn co https://svn.freebsd.org/base/releng/10.2 src
>>
>> The SSL cert on the server should be sufficient guarantee you've not
>> been spoofed into some MITM scenario.
>>
>> 	Cheers,
>>
>> 	Matthew
>>
> 
> Hello Matthew,
> 
> Thanks for outlining those steps for updating system source code. Being
> a bit on the paranoid side these are the steps have been following.
> Rather then using svn, however, I've been using svnup which for a
> single host seems to be sufficiently light weight.
> 
> I've been using https for the protocol setting but was wondering if
> there is greater security using the svn protocol.  Is one protocol more
> secure than another?  Or does it really make a difference?

There's not a lot of difference functionality- or performance-wise as
far as an end-user is concerned.  However, only https gives you any
assurance that you are connecting to the server you thought you were.
You will need to check the cert -- svn will ask you about it the first
time you connect.

	Cheers,

	Matthew


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160120/00da3126/attachment.sig>

More information about the freebsd-questions mailing list