Date: Wed, 20 Jan 2016 11:58:08 -0500 From: mfv <mfv@bway.net> To: Matthew Seaman <matthew@FreeBSD.org> Cc: freebsd-questions@freebsd.org Subject: Re: Downloading 10.2-RELEASE-p10 source without prayer Message-ID: <20160120115808.6133c482@gecko4> In-Reply-To: <569F4344.5020907@FreeBSD.org> References: <CAPi0psv=XoZ4Zd_J4g-dLLOTtD9FCCbdiTn7AaA6BX4QwS4-og@mail.gmail.com> <CAPi0psuP96f--dnRKpWZaDtsKX-1N=n%2B4hJ_yhwnB19-iOHaKg@mail.gmail.com> <569F4344.5020907@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Wed, 2016-01-20 at 08:20 Matthew Seaman <matthew@FreeBSD.org> > wrote: > >On 20/01/2016 01:30, Chris Stankevitz wrote: >> On Tue, Jan 19, 2016 at 4:45 PM, Chris Stankevitz >> <chrisstankevitz@gmail.com> wrote: >>> > Of course I'm being sarcastic about the prayer... but is there a >>> > way (a tarball or special SVN tag/branch) to get the "official" >>> > 10.2-RELEASE-p10 code? What do the freebsd-update servers use? > >> I could just look at "svn log -l 1" and see if it jives more or less >> with the most recent freebsd-announce email. > >Depends how paranoid you want to be. > >If you download one of the DVD installation images, that should include >base system sources and will have offline checksums that you can >verify. > >You can then apply the patches from all of the SAs and ENs published >since, all of which are digitally signed. That's probably as good as >you can get in ensuring you've got authentic, untampered sources. > >Most people would find it good enough to use eg. freebsd-update -- the >updates are cryptographically signed, so you can be reasonably certain >that what it installs on your system is the same as what it has on the >servers. It does use a pretty direct connection to the master SVN >repository for obtaining the code it builds from, but you generally >have to trust that it is using unadulterated sources itself. >freebsd-update can maintain a copy of /usr/src for you. > >Or else you can just checkout the RELENG-10 branch from one of the SVN >mirrors: > ># cd /usr ># svn co https://svn.freebsd.org/base/releng/10.2 src > >The SSL cert on the server should be sufficient guarantee you've not >been spoofed into some MITM scenario. > > Cheers, > > Matthew > Hello Matthew, Thanks for outlining those steps for updating system source code. Being a bit on the paranoid side these are the steps have been following. Rather then using svn, however, I've been using svnup which for a single host seems to be sufficiently light weight. I've been using https for the protocol setting but was wondering if there is greater security using the svn protocol. Is one protocol more secure than another? Or does it really make a difference? Cheers ... Marek
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160120115808.6133c482>