Downloading 10.2-RELEASE-p10 source without prayer
Matthew Seaman
matthew at freebsd.org
Wed Jan 20 17:26:10 UTC 2016
On 01/20/16 16:58, mfv wrote:
>> On Wed, 2016-01-20 at 08:20 Matthew Seaman <matthew at FreeBSD.org>
>> wrote:
>>
>> On 20/01/2016 01:30, Chris Stankevitz wrote:
>>> On Tue, Jan 19, 2016 at 4:45 PM, Chris Stankevitz
>>> <chrisstankevitz at gmail.com> wrote:
>>>>> Of course I'm being sarcastic about the prayer... but is there a
>>>>> way (a tarball or special SVN tag/branch) to get the "official"
>>>>> 10.2-RELEASE-p10 code? What do the freebsd-update servers use?
>>
>>> I could just look at "svn log -l 1" and see if it jives more or less
>>> with the most recent freebsd-announce email.
>>
>> Depends how paranoid you want to be.
>>
>> If you download one of the DVD installation images, that should include
>> base system sources and will have offline checksums that you can
>> verify.
>>
>> You can then apply the patches from all of the SAs and ENs published
>> since, all of which are digitally signed. That's probably as good as
>> you can get in ensuring you've got authentic, untampered sources.
>>
>> Most people would find it good enough to use eg. freebsd-update -- the
>> updates are cryptographically signed, so you can be reasonably certain
>> that what it installs on your system is the same as what it has on the
>> servers. It does use a pretty direct connection to the master SVN
>> repository for obtaining the code it builds from, but you generally
>> have to trust that it is using unadulterated sources itself.
>> freebsd-update can maintain a copy of /usr/src for you.
>>
>> Or else you can just checkout the RELENG-10 branch from one of the SVN
>> mirrors:
>>
>> # cd /usr
>> # svn co https://svn.freebsd.org/base/releng/10.2 src
>>
>> The SSL cert on the server should be sufficient guarantee you've not
>> been spoofed into some MITM scenario.
>>
>> Cheers,
>>
>> Matthew
>>
>
> Hello Matthew,
>
> Thanks for outlining those steps for updating system source code. Being
> a bit on the paranoid side these are the steps have been following.
> Rather then using svn, however, I've been using svnup which for a
> single host seems to be sufficiently light weight.
>
> I've been using https for the protocol setting but was wondering if
> there is greater security using the svn protocol. Is one protocol more
> secure than another? Or does it really make a difference?
There's not a lot of difference functionality- or performance-wise as
far as an end-user is concerned. However, only https gives you any
assurance that you are connecting to the server you thought you were.
You will need to check the cert -- svn will ask you about it the first
time you connect.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160120/00da3126/attachment.sig>
More information about the freebsd-questions
mailing list