Date: Wed, 20 Jan 2016 17:25:52 +0000 From: Matthew Seaman <matthew@freebsd.org> To: mfv@bway.net Cc: freebsd-questions@freebsd.org Subject: Re: Downloading 10.2-RELEASE-p10 source without prayer Message-ID: <569FC320.1080906@freebsd.org> In-Reply-To: <20160120115808.6133c482@gecko4> References: <CAPi0psv=XoZ4Zd_J4g-dLLOTtD9FCCbdiTn7AaA6BX4QwS4-og@mail.gmail.com> <CAPi0psuP96f--dnRKpWZaDtsKX-1N=n%2B4hJ_yhwnB19-iOHaKg@mail.gmail.com> <569F4344.5020907@FreeBSD.org> <20160120115808.6133c482@gecko4>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --fPetE9BdaMv6ND98KBM4n04jNx6jMGoqJ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 01/20/16 16:58, mfv wrote: >> On Wed, 2016-01-20 at 08:20 Matthew Seaman <matthew@FreeBSD.org> >> wrote: >> >> On 20/01/2016 01:30, Chris Stankevitz wrote: >>> On Tue, Jan 19, 2016 at 4:45 PM, Chris Stankevitz >>> <chrisstankevitz@gmail.com> wrote: =20 >>>>> Of course I'm being sarcastic about the prayer... but is there a >>>>> way (a tarball or special SVN tag/branch) to get the "official" >>>>> 10.2-RELEASE-p10 code? What do the freebsd-update servers use? =20 >> >>> I could just look at "svn log -l 1" and see if it jives more or less >>> with the most recent freebsd-announce email. =20 >> >> Depends how paranoid you want to be. >> >> If you download one of the DVD installation images, that should includ= e >> base system sources and will have offline checksums that you can >> verify. >> >> You can then apply the patches from all of the SAs and ENs published >> since, all of which are digitally signed. That's probably as good as >> you can get in ensuring you've got authentic, untampered sources. >> >> Most people would find it good enough to use eg. freebsd-update -- the= >> updates are cryptographically signed, so you can be reasonably certain= >> that what it installs on your system is the same as what it has on the= >> servers. It does use a pretty direct connection to the master SVN >> repository for obtaining the code it builds from, but you generally >> have to trust that it is using unadulterated sources itself. >> freebsd-update can maintain a copy of /usr/src for you. >> >> Or else you can just checkout the RELENG-10 branch from one of the SVN= >> mirrors: >> >> # cd /usr >> # svn co https://svn.freebsd.org/base/releng/10.2 src >> >> The SSL cert on the server should be sufficient guarantee you've not >> been spoofed into some MITM scenario. >> >> Cheers, >> >> Matthew >> >=20 > Hello Matthew, >=20 > Thanks for outlining those steps for updating system source code. Being= > a bit on the paranoid side these are the steps have been following. > Rather then using svn, however, I've been using svnup which for a > single host seems to be sufficiently light weight. >=20 > I've been using https for the protocol setting but was wondering if > there is greater security using the svn protocol. Is one protocol more= > secure than another? Or does it really make a difference? There's not a lot of difference functionality- or performance-wise as far as an end-user is concerned. However, only https gives you any assurance that you are connecting to the server you thought you were. You will need to check the cert -- svn will ask you about it the first time you connect. Cheers, Matthew --fPetE9BdaMv6ND98KBM4n04jNx6jMGoqJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJWn8MgAAoJEABRPxDgqeTn3wYP/1Ja7bGWOMtAeuY5OtIkzjJ9 EVXmF6MqAC2+E+P9kZN1utDzvOTefBbWlqX2pItmR6+pXzeWigImmY9kxwuEYgBK zWhHK9cuBnGWnkpi+l1jHmsMIHrMlaTtwk8rtzZb4r51IdEEJrH1AIvEav/p+qaW 95tAeaDFxSK2vCWpAFBrczsNGZCLH7kMTQF6sv9Bv2ppmr3OdoI5/IDPLbH1CtL5 YDAm8mioU0yfEipOICda9LXWaqlRR6QmxfFzKHx+EF05HaYyQnN/ycLTIXDDN+4w 48E1tJvTkSCvWjoibVNs7yPM0+ovlwPcZljKNJSMivxXpNIh36hhcR0Zp/JQs5XG JA7pPpJumU32sKipci4u64FtYKK2nuH01zsgBUg9zXTVsBWjeYED1NcWuuX6IqCf O+3L1OcMZyBoEMEOc6VhoXdNEq5MSK0fDzMzz1WTV8kq8fOX40ImFDsabF926rpO Z5py3TDp08XklJYbAUmt8KoH0QORGmU+qz0TNMHHr5bai/Ank+grGuHa7903dcLD Sc3o7b45R1bThuL0JUrY52LUW8J/imnS2X1S0Ryh/T09apQJip26PgHXO8vgqtnC cJgkcaFcwOF6UIVG89FjN0atVN6FfkOvOmO64JDdhVMWVDUEkz0XGn0q2XmdmbcT R7F8GqFw8yTGXQZvQR13 =fX+V -----END PGP SIGNATURE----- --fPetE9BdaMv6ND98KBM4n04jNx6jMGoqJ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?569FC320.1080906>