Re: FreeBSD 6.0->6.1 binary upgrade script
Peter Jeremy wrote: > On Sun, 2006-Jul-09 00:42:31 -0700, Colin Percival wrote: >> I have written an automatic script >> for performing binary FreeBSD 6.0 -> FreeBSD 6.1 upgrades. > > That sounds useful. Are you intending to provide this for future > FreeBSD minor-revision releases? Yes. This is made much easier by the work I'm doing rewriting FreeBSD Update. > But how can I tell that the script came from the FreeBSD Security > Officer? You have signed your mail with a key (ID 0xD09347FC) that > claims to be a Colin Percival with an Oxford Uni address (whereas this > mail has a freebsd.org address) but the key that I downloaded from a > PGP keyserver has no other signatures. You don't have a key in the > FreeBSD CVS repository that I can locate Oops. I really ought to add my key there some day -- it hasn't mattered until now since I've always signed security-related emails with the SO key. Here's my PGP public key, which you will note is signed with the FreeBSD Security Officer key. -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.4.3 (FreeBSD) mQGiBD5ST1YRBADxgAihxhkd5+87xPxAD3OvMzKKrAhWX9VPaABzjrQmDJrJ0cyb Boa6+aHlnaFZYEIv7DVDylNg5aUDRRDJOrKeWnSXs9Kizg9+ek/3V6202Z5mZiBG YjShN2nhApkTHTN0QfogOEXmY9BHzJzHix75fJZ5wk4q4X28FKVCReoeAwCg/2p/ rgnDBQFkJy/0Lnj6MZQw2KkEAKQ/nNK/KlKNlfA5KAuqS16l1WQKgOP+ispUoaVN arhTU7NCB+UKBAJHPQVeVAe+UvgeUhjh7psCp9C1Au0hmxnpluF1ljknRUzF2WlX ql38/1cHT2RxHr9i/fG8hHQCQkRLp1k01n7rVTzXX3j/K0V+CVbGWIJK7h47ceEL 4tk9A/0T7H1vCeuiu50aMDaigCOmd1XQb+dZlEs50mzLlC1mwtTodRBLqo3Ol78R nZ7DN73AHH7w2197kJ0I10dA6Q5MpScfXKUtnUuItSxv59E9O7SDus6ya77L0lCR cooYL49EuB/pwL/P+c/p+Ki9TmzauGE3Wji6gDH7kH/aVMFwwbQvQ29saW4gUGVy Y2l2YWwgPGNvbGluLnBlcmNpdmFsQHdhZGhhbS5veC5hYy51az6IWAQQEQIAGAUC PlJPVggLCQgHAwIBCgIZAQUbAwAKCRAy3h7N0JNH/EDpAKDEN7HNTjpDEf0K hlVxk8c868mrLwCcDDQ7TEi4XqeonghuoWYRE/oooq+IRgQQEQIABgUCQnhSngAK CRAV1ogEymzfsiShAJ4yFvxZXVWbuzG9lyZLgoUVeQ55FACfeVwS0Clf+93BByQq U0E8HE4rXsm0JUNvbGluIFBlcmNpdmFsIDxjcGVyY2l2YUBmcmVlYnNkLm9yZz6I TwQQEQIADwUCQSYZ3AgLCQgHAwIBCgAKCRAy3h7N0JNH/JU9AKCZEbOE4KD5FRmz xUhoJRJOKS6prwCeNNqyRB+lTg9006K7LAgMLYuUrDuIRgQQEQIABgUCQnhSpQAK CRAV1ogEymzfsivAAJ97Vk22Grq9IrmnKfQY3DHlReLBrQCeO7KaNWoct9y8t2FG pAiqEM02Kl25Ag0EPlJPVhAIAPZCV7cIfwgXcqK61qlC8wXo+VMROU+28W65Szgg 2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D49Vlf3HZSTz09jdvO meFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscBqtNbno2gpXI61Brwv0YA WCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFstjvbzySPAQ/ClWxiNjrtV jLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISnCnLWhsQDGcgHKXrKlQzZ lp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVekyCzsAAgIIAPIwHNo3BY8l 8T54p1GbRXqGxw10B7/wuxc6XgdfDfJOMOjn48+O0LNwyWXWLPR5apGaqlubzG+O okQNP8okLQ5W6vRh09/Y3XfAlHh5nx5bwEFOmrRJPKvyZIY/KjvAA8PAgCIRKVfH IzUqvXbjESrzMuskkxoVRVyrx52FHx6XqQWGY+DJJV9VFDSxzwfq9K4JHQ3yRm7G 75hrPXUB8VC28mOLCEwwkKNyh9PQj27PEwjErPLJ0gKkkK0cfnvcv6pMBkRAHfL7 RqM4Z4yqqfaofS3B50Nr6dvpPx2Xyus3y03Zr9QZuKfFVYJ6Gb3oZuJnRXT5XIwD 5Fiw/V3xaD6ITAQYEQIADAUCPlJPVgUbDAAKCRAy3h7N0JNH/BntAKD/JPN0 g8NrWUVUfiKonbtL1vgMEgCdH+G2T8UJC2wyRTdp4+Io42+tsA0= =7ABx -END PGP PUBLIC KEY BLOCK- Colin Percival ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD 6.0->6.1 binary upgrade script
On Sun, 2006-Jul-09 00:42:31 -0700, Colin Percival wrote: > I have written an automatic script >for performing binary FreeBSD 6.0 -> FreeBSD 6.1 upgrades. That sounds useful. Are you intending to provide this for future FreeBSD minor-revision releases? >Naturally, the cryptographic hashes of all the files are verified >against values stored in the script, so as long as you trust the >FreeBSD Security Officer (and if you don't, why are you running >FreeBSD?), the process is entirely secure. But how can I tell that the script came from the FreeBSD Security Officer? You have signed your mail with a key (ID 0xD09347FC) that claims to be a Colin Percival with an Oxford Uni address (whereas this mail has a freebsd.org address) but the key that I downloaded from a PGP keyserver has no other signatures. You don't have a key in the FreeBSD CVS repository that I can locate and I can't find any keys on www.daemonology.net. Basically, I only have your word that you are who you claim to be. (Of course, I still need to be able to trust the FreeBSD CVS repository but if I can't trust that, I can't trust my OS either). If you really are the FreeBSD Security Officer why can't I find copies of your key and FreeBSD SO key (0xCA6CDFB2) that are counter-signed by each other? -- Peter Jeremy pgpi5U6qviUzV.pgp Description: PGP signature
FreeBSD 6.0->6.1 binary upgrade script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear FreeBSD 6.0 users, Those of you who read my blog (http://www.daemonology.net/blog/) will have seen this already; but for those of you who don't: I have written an automatic script for performing binary FreeBSD 6.0 -> FreeBSD 6.1 upgrades. This script will install exactly the same files as are distributed on the ISO image, and it will attempt to automatically merge configuration file changes (in the very unlikely case that it cannot automatically merge changes, it will ask you to merge the changes for it). The script takes approximately 15 minutes, and typically downloads under 20MB of files and binary patches. Naturally, the cryptographic hashes of all the files are verified against values stored in the script, so as long as you trust the FreeBSD Security Officer (and if you don't, why are you running FreeBSD?), the process is entirely secure. The script can be obtained from http://www.daemonology.net/freebsd-upgrade-6.0-to-6.1/ and the SHA256 hash of the download is 29075fc5711e0b20d879c69d12bbe5414c1c56d597c8116da7acc0d291116d2f . Colin Percival FreeBSD Security Officer -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEsLNnMt4ezdCTR/wRAmRUAKDQFOFxK3y58/vy0Vzx8sov8synWgCg4sYG UfDhAxNjWRq7+zawVvM8cp0= =3gBy -END PGP SIGNATURE- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
