Date: Sat, 23 Sep 2006 10:28:00 -0700 From: Chris Maness <chris@chrismaness.com> To: gayn.winters@bristolsystems.com Cc: freebsd-questions@freebsd.org Subject: Re: freebsd-update defaults and restrictions Message-ID: <45156EA0.9000806@chrismaness.com>
next in thread | raw e-mail | index | archive | help
> Colin Percival's *freebsd-update* utility has a number of options/flags > that I can't figure out from > man *freebsd-update* or > man *freebsd-update*.conf or > *freebsd-update*.conf.sample > > Syntax: > *freebsd-update* [-b basedir] [--branch branchname] [-k *KEY*] command > [URL] > > -b basedir "Act on a FreeBSD world based at ... basedir" > What does this mean? If omitted, what is the default? > > --branch branchname Possibilities are nocrypto, crypto, ... . > The example in Bejtlich's paper > www.taosecurity.com/keeping_freebsd_up-to-date.html > <http://www.taosecurity.com/keeping_freebsd_up-to-date.html>; > doesn't use --branch, and yet he implies the default is crypto and that > most installations need crypto. Is the default crypto? How would I > know what I need? > > -k *KEY* "A public *key* with a *given* MD5 hash" > URL "The URL from which updates are fetched" > > The above two can also be specified in *freebsd-update*.conf and the > sample file has URL pointing to update.daemonology.net (Colin's web > server). Bejtlich states that the *KEY* and the URL in the .conf file > are > cooked to get updates from Colin's site, and to use the sample file "if > you trust [Colin] to securely build binary updates for you to blindly > install ..." Aside from Bejtlich's obvious tongue-in-cheek negativity > (they are both security guys after all, and Colin is the FreeBSD > security officer), are there other possible sites for updates? How do I > figure out a correct value for *KEY* if I know the URL? Incidentally, > the > *KEY* and the URL are required, since they either need to be specified on > the command line as in the above syntax or *via* the configuration file. > > Finally, *freebsd-update **must* operate on a GENERIC kernel, but does > this > mean I can still use device.hints? > > Any help would be greatly appreciated. > > -gayn > > Bristol Systems Inc. > 714/532-6776 > www.bristolsystems.com <http://www.bristolsystems.com>; If freebsd-update installs new kernel modules, will the system have to be re-booted? If the system does need to be re-booted, will freebsd-update do it? If I have to manually reboot, when do I know a particular update calls for re-booting? Sorry for the 20 questions. Chris Maness
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45156EA0.9000806>