Date: Mon, 23 Mar 2015 20:59:38 +0300 From: "Sergey V. Dyatko" <sergey.dyatko@gmail.com> To: freebsd-current@freebsd.org Subject: Re: bsdinstall and current (possible stable) snapshots Message-ID: <20150323205938.2098615f@laptop.minsk.domain> In-Reply-To: <55105178.3040204@freebsd.org> References: <20150323084738.70f7db7b@laptop.minsk.domain> <5762F1B8-771F-469C-9B93-AB6477C1C90D@FreeBSD.org> <55103C3D.9050009@freebsd.org> <20150323194757.285b3647@laptop.minsk.domain> <55105178.3040204@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 23 Mar 2015 10:46:32 -0700
Nathan Whitehorn <nwhitehorn@freebsd.org> wrote:=20
>=20
> On 03/23/15 09:47, Sergey V. Dyatko wrote:
> > On Mon, 23 Mar 2015 09:15:57 -0700
> > Nathan Whitehorn <nwhitehorn@freebsd.org> wrote:
> >
> >> On 03/23/15 09:06, Devin Teske wrote:
> >>>> On Mar 22, 2015, at 10:47 PM, Sergey V. Dyatko <sergey.dyatko@gmail.=
com>
> >>>> wrote:
> >>>>
> >>>> Hi Devin,
> >>>>
> >>>> Recently I'm trying to install FreeBSD CURRENT from bootonly image
> >>>> ( FreeBSD-11.0-CURRENT-amd64-20150302-r279514-bootonly.iso)
> >>>> on IBM HS22 blade via bladecenter's kvm but I faced with problem on
> >>>> checksum stage, bootonly doesn't contain base, kernel,etc distributi=
ons
> >>>> but it contain manifest file.
> >>>> On mirrors we have pub/FreeBSD/snapshots/${ARCH}/11.0-CURRENT/*txz =
and
> >>>> MANIFEST, sha256 sums from _local_ manifest doesn't match sha256 sum=
s for
> >>>> fetched files. I suppose it will be fine with RELEASE bootonly iso b=
ut
> >>>> not with stable/current.
> >>>> there is 2 ways how we can handle it:
> >>>> 1) download remote MANIFEST if spotted checksum mismatch and trying =
to
> >>>> use it 2) allow user to continue installation with 'broken' distribu=
tions
> >>>>
> >>>> I had to first put 10.1 then update it to HEAD :(
> >>>>
> >>>> What do you think ?
> >>> When I get some time I=E2=80=99ll have a look and see what I can do.
> >>> =E2=80=94
> >>> Cheers,
> >>> Devin
> >>>
> >>>
> >> Using the local manifest is a security feature -- there is otherwise
> >> zero protection against a man-in-the-middle attack. Ideally, you'd use
> >> the ISO that matches the posted files. There are three options here:
> >> 1. Add a dialog that lets you move ahead in the event of checksum
> >> failure, which makes me very nervous.
> >> 2. Use the boot1 disk.
> >> 2a. For release engineering: if the posted tarballs change too fast, t=
he
> >> bootonly disk isn't actually useful for -CURRENT and should probably be
> >> removed from the FTP server.
> > I don't think so. I use only bootonly ISOs when I (rare) setup new
> > fbsd instances, disk1 contain to much useless (for me) things. I
> > haven't fast internet (in 2015, yes) so download data1 image is a pain.
>=20
> What useless things, out of curiousity? If you want source (which you=20
> probably do if you are running -CURRENT), boot1 + downloading kernel,=20
> base, and source code is 80% the size of disc1 for amd64. It's just not=20
> a huge difference.
>=20
~55 vs ~360 MB (FreeBSD-11.0-CURRENT-amd64-20150302-r279514-bootonly.iso.xz=
VS
FreeBSD-11.0-CURRENT-amd64-20150302-r279514-disc1.iso.xz)
I do fetch src/ports (both HEAD) from svn so _in my case_ it is useless
(tarballs a bit outdated as minimum). Main purpose of ISOs (for me) is allo=
w to
install minimal FreeBSD on new server. Than I can ssh into it and setup us=
eful
stuff
> > What about STABLE images/tarballs ? If I understand correctly it is al=
so
> > uploaded too fast...
>=20
> The same issue applies there, yes.
>=20
> >> 3. You could reroll the ISO (just untar and run makefs again),
> >> commenting out line 180 of /usr/libexec/bsdinstall/scripts/auto.
> >> -Nathan
> > sure I can.
> > Idea with a dialog is a good idea, IMO :)
> >
>=20
> That's so@'s lookout. I'd prefer actual signatures to checksum=20
> verification + an option to skip.
> -Nathan
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
--
wbr, tiger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150323205938.2098615f>