From owner-freebsd-questions@FreeBSD.ORG Sat Sep 23 17:27:07 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1F0016A403 for ; Sat, 23 Sep 2006 17:27:07 +0000 (UTC) (envelope-from chris@chrismaness.com) Received: from ylpvm12.prodigy.net (ylpvm12-ext.prodigy.net [207.115.57.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07B8C43D66 for ; Sat, 23 Sep 2006 17:27:04 +0000 (GMT) (envelope-from chris@chrismaness.com) X-ORBL: [75.30.150.245] Received: from [192.168.4.2] (adsl-75-30-150-245.dsl.irvnca.sbcglobal.net [75.30.150.245]) by ylpvm12.prodigy.net (8.13.7 out spool5000 dk/8.13.7) with ESMTP id k8NHQDSv031167; Sat, 23 Sep 2006 13:26:13 -0400 Message-ID: <45156EA0.9000806@chrismaness.com> Date: Sat, 23 Sep 2006 10:28:00 -0700 From: Chris Maness User-Agent: Thunderbird 1.5.0.5 (X11/20060728) MIME-Version: 1.0 To: gayn.winters@bristolsystems.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: freebsd-update defaults and restrictions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Sep 2006 17:27:08 -0000 > Colin Percival's *freebsd-update* utility has a number of options/flags > that I can't figure out from > man *freebsd-update* or > man *freebsd-update*.conf or > *freebsd-update*.conf.sample > > Syntax: > *freebsd-update* [-b basedir] [--branch branchname] [-k *KEY*] command > [URL] > > -b basedir "Act on a FreeBSD world based at ... basedir" > What does this mean? If omitted, what is the default? > > --branch branchname Possibilities are nocrypto, crypto, ... . > The example in Bejtlich's paper > www.taosecurity.com/keeping_freebsd_up-to-date.html > > doesn't use --branch, and yet he implies the default is crypto and that > most installations need crypto. Is the default crypto? How would I > know what I need? > > -k *KEY* "A public *key* with a *given* MD5 hash" > URL "The URL from which updates are fetched" > > The above two can also be specified in *freebsd-update*.conf and the > sample file has URL pointing to update.daemonology.net (Colin's web > server). Bejtlich states that the *KEY* and the URL in the .conf file > are > cooked to get updates from Colin's site, and to use the sample file "if > you trust [Colin] to securely build binary updates for you to blindly > install ..." Aside from Bejtlich's obvious tongue-in-cheek negativity > (they are both security guys after all, and Colin is the FreeBSD > security officer), are there other possible sites for updates? How do I > figure out a correct value for *KEY* if I know the URL? Incidentally, > the > *KEY* and the URL are required, since they either need to be specified on > the command line as in the above syntax or *via* the configuration file. > > Finally, *freebsd-update **must* operate on a GENERIC kernel, but does > this > mean I can still use device.hints? > > Any help would be greatly appreciated. > > -gayn > > Bristol Systems Inc. > 714/532-6776 > www.bristolsystems.com If freebsd-update installs new kernel modules, will the system have to be re-booted? If the system does need to be re-booted, will freebsd-update do it? If I have to manually reboot, when do I know a particular update calls for re-booting? Sorry for the 20 questions. Chris Maness