Re: freebsd-update defaults and restrictions
Colin Percival's *freebsd-update* utility has a number of options/flags that I can't figure out from man *freebsd-update* or man *freebsd-update*.conf or *freebsd-update*.conf.sample Syntax: *freebsd-update* [-b basedir] [--branch branchname] [-k *KEY*] command [URL] -b basedir Act on a FreeBSD world based at ... basedir What does this mean? If omitted, what is the default? --branch branchname Possibilities are nocrypto, crypto, ... . The example in Bejtlich's paper www.taosecurity.com/keeping_freebsd_up-to-date.html http://www.taosecurity.com/keeping_freebsd_up-to-date.html doesn't use --branch, and yet he implies the default is crypto and that most installations need crypto. Is the default crypto? How would I know what I need? -k *KEY* A public *key* with a *given* MD5 hash URL The URL from which updates are fetched The above two can also be specified in *freebsd-update*.conf and the sample file has URL pointing to update.daemonology.net (Colin's web server). Bejtlich states that the *KEY* and the URL in the .conf file are cooked to get updates from Colin's site, and to use the sample file if you trust [Colin] to securely build binary updates for you to blindly install ... Aside from Bejtlich's obvious tongue-in-cheek negativity (they are both security guys after all, and Colin is the FreeBSD security officer), are there other possible sites for updates? How do I figure out a correct value for *KEY* if I know the URL? Incidentally, the *KEY* and the URL are required, since they either need to be specified on the command line as in the above syntax or *via* the configuration file. Finally, *freebsd-update **must* operate on a GENERIC kernel, but does this mean I can still use device.hints? Any help would be greatly appreciated. -gayn Bristol Systems Inc. 714/532-6776 www.bristolsystems.com http://www.bristolsystems.com If freebsd-update installs new kernel modules, will the system have to be re-booted? If the system does need to be re-booted, will freebsd-update do it? If I have to manually reboot, when do I know a particular update calls for re-booting? Sorry for the 20 questions. Chris Maness ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: freebsd-update defaults and restrictions
Gayn Winters wrote: Bejtlich states that the KEY and the URL in the .conf file are cooked to get updates from Colin's site, and to use the sample file if you trust [Colin] to securely build binary updates for you to blindly install ... Aside from Bejtlich's obvious tongue-in-cheek negativity (they are both security guys after all, and Colin is the FreeBSD security officer), are there other possible sites for updates? Hello, If you take a look at the text you're quoting, you'll notice that it's output from installing freebsd-update. I did not need to apply any obvious tongue-in-cheek negativity in my article -- those are Colin's words! I have the utmost respect for Colin; he's been very helpful in the community. Also, when I wrote the original article (Dec 04), Colin was not the security officer. That didn't happen until Aug 05, which is still after the date on the current article (Apr 05). For the latest info, you might like to read my article published in the Feb 06 Sys Admin magazine on Keeping FreeBSD Up-to-Date. To your questions -- I don't know of any sites beyond Colin's that provide updates at this time. If we see freebsd-update moved into the base system, I expect to see freebsd.org mirrors carrying them. It would be nice to have updates for non-i386 platforms, too. I defer to Colin for your other queries. Sincerely, Richard ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
freebsd-update defaults and restrictions
Colin Percival's freebsd-update utility has a number of options/flags that I can't figure out from man freebsd-update or man freebsd-update.conf or freebsd-update.conf.sample Syntax: freebsd-update [-b basedir] [--branch branchname] [-k KEY] command [URL] -b basedir Act on a FreeBSD world based at ... basedir What does this mean? If omitted, what is the default? --branch branchname Possibilities are nocrypto, crypto, ... . The example in Bejtlich's paper www.taosecurity.com/keeping_freebsd_up-to-date.html doesn't use --branch, and yet he implies the default is crypto and that most installations need crypto. Is the default crypto? How would I know what I need? -k KEY A public key with a given MD5 hash URL The URL from which updates are fetched The above two can also be specified in freebsd-update.conf and the sample file has URL pointing to update.daemonology.net (Colin's web server). Bejtlich states that the KEY and the URL in the .conf file are cooked to get updates from Colin's site, and to use the sample file if you trust [Colin] to securely build binary updates for you to blindly install ... Aside from Bejtlich's obvious tongue-in-cheek negativity (they are both security guys after all, and Colin is the FreeBSD security officer), are there other possible sites for updates? How do I figure out a correct value for KEY if I know the URL? Incidentally, the KEY and the URL are required, since they either need to be specified on the command line as in the above syntax or via the configuration file. Finally, freebsd-update must operate on a GENERIC kernel, but does this mean I can still use device.hints? Any help would be greatly appreciated. -gayn Bristol Systems Inc. 714/532-6776 www.bristolsystems.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
