Re: 12.2R Sigs

On Thu, Sep 17, 2020 at 09:09:26PM -0400, grarpamp wrote: > >> > And there is the PGP-signed email to stable@ that contains > >> > them. > >> > >> Future noting that lists do not support foreknown path schemes > >> for that data. Whereas repo, website and dataset locations are more > >>

Re: 12.2R Sigs

On Thu, Sep 17, 2020 at 08:03:54PM -0400, grarpamp wrote: > > They will be added with the first RC build > > Yes RC* seems the latest point in timeline > to begin excercise them. > > > a bug in the order of operations > > > And there is the PGP-signed email to stable@ that contains > > them. >

Re: 12.2R Sigs

On Thu, Sep 17, 2020 at 03:41:22PM -0400, grarpamp wrote: > https://svnweb.freebsd.org/doc/head/en_US.ISO8859-1/htdocs/releases/12.2R/signatures.xml > > Is it plan that 12.x 13.x etc continue with > provision of sig files for BETA and RC? > If so, process can be added to releng todo docs, > and

Re: pkg.freebsd.org cert has expired :/

On Fri, Jun 19, 2020 at 12:21:10AM +0200, Daniel Lysfjord via freebsd-security wrote: > On 19.06.2020 00:14, Gordon Tetlow via freebsd-security wrote: > > pkg.freebsd.org is a geographically distributed > > set of servers. Can you please go to https://pkg.freebsd.org/

Re: Cryptographic signatures of installer sets

On Tue, Feb 11, 2020 at 11:31:32PM +, Nathan Dorfman wrote: > > The patch I have at the moment looks for the MANIFEST (rather, the > > --) file in the location they are > > installed by the misc/freebsd-release-manifests package. > > This seems reasonable, but I think the checksum script is

Re: Cryptographic signatures of installer sets

On Sat, Feb 01, 2020 at 11:34:20PM +, Nathan Dorfman wrote: > On Thu, Jan 30, 2020 at 01:22:39PM +0000, Glen Barber wrote: > > I honestly wasn't aware there was a jail subcommand to bsdinstall. > > I think, rather than creating /usr/freebsd-dist on the host system, we > >

Re: Cryptographic signatures of installer sets

Hi Nathan, On Thu, Jan 30, 2020 at 12:50:06AM +, Nathan Dorfman wrote: > On Mon, Jan 27, 2020 at 04:42:01PM +0000, Glen Barber wrote: > > No, this last part is not true. The installer always verifies the > > checksums against /usr/freebsd-dist/MANIFEST on the inst

Re: Cryptographic signatures of installer sets

On Sat, Jan 25, 2020 at 08:00:07PM +, Nathan Dorfman wrote: > Hello all, > > I really hope I'm missing something here, and we can all have a nice > chuckle at my expense. > > But I can't see any way the integrity of the installer sets (base.txz, > kernel.txz and friends) can be verified

Re: Signatures for base.txz, kernel.txz, etc?

On Fri, Nov 04, 2016 at 04:03:04PM +, org.freebsd.secur...@io7m.com wrote: > Hello. > > Are there any plans to provide PGP signatures on base.txz, kernel.txz, > and friends? Right now, the only (apparent) way to obtain them is via > http://ftp.freebsd.org over unsecured HTTP (the HTTPS

Re: FreeBSD Security Advisory FreeBSD-SA-16:25.bspatch

On Mon, Jul 25, 2016 at 07:08:57PM +0300, George L. Yermulnik wrote: > > # fetch https://security.FreeBSD.org/patches/SA-16:25/bspatch.patch > > # fetch https://security.FreeBSD.org/patches/SA-16:25/bspatch.patch.asc > > # gpg --verify bspatch.patch.asc > > fetch:

Re: FreeBSD Security Advisory FreeBSD-SA-16:16.ntp

On Fri, Apr 29, 2016 at 01:13:21PM +0200, ga...@zahemszky.hu wrote: > >2) To update your vulnerable system via a binary patch: > > > >Systems running a RELEASE version of FreeBSD on the i386 or amd64 > >platforms can be updated via the freebsd-update(8) utility: > > > ># freebsd-update fetch > >#

Re: Quarterly packages and security updates...

On Thu, Aug 13, 2015 at 05:01:29PM -0400, Mason Loring Bliss wrote: On Thu, Aug 13, 2015 at 08:40:23PM +, Glen Barber wrote: [info@ removed, not sure why that email address was included.] I'm hoping for pressure from above, as this is an important step that's evidently being taken

Re: Quarterly packages and security updates...

[info@ removed, not sure why that email address was included.] On Thu, Aug 13, 2015 at 04:20:08PM -0400, Mason Loring Bliss wrote: A recently quarterly report: https://www.freebsd.org/news/status/report-2015-04-2015-06.html and last week's BSD Now episode both hint that quarterly

Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp

On Wed, Dec 24, 2014 at 05:42:16PM +0100, Andrei wrote: On Wed, 24 Dec 2014 00:33:09 +0100 (CET) FreeBSD Security Advisories security-advisor...@freebsd.org wrote: No workaround is available, but systems not running ntpd(8) are not affected. Because the issue may lead to remote root

Re: RFC: Proposal: Install a /etc/ssl/cert.pem by default?

On Wed, Jul 02, 2014 at 04:45:53PM -0700, Xin Li wrote: Hi, Currently, FreeBSD does not install a default /etc/ssl/cert.pem because we do not maintain one ourselves. We do, however, provide a port, security/ca_root_nss, which have an option to install a symbolic link as /etc/ssl/cert.pem -

Re: freebsd-update.conf IgnorePaths linker.hints not working

On Mon, May 26, 2014 at 10:40:02AM +0800, Gregory Orange wrote: Hi everyone, I've got freebsd-update cron running every night, and each time get the following (regardless of whether I then run freebsd-update install): The following files will be updated as part of updating to

Re: FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver

On Tue, Apr 30, 2013 at 01:36:52PM -0600, Brett Glass wrote: This is one of several reasons why one would expect freebsd-update(8) to be considerate of a custom kernel: it is documented as knowing about /boot/GENERIC as the place to put he GENERIC kernel if one builds a custom one. Let's

Re: FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver

On Tue, Apr 30, 2013 at 04:41:03PM -0600, Brett Glass wrote: At 03:15 PM 4/30/2013, Glen Barber wrote: Let's start from the beginning. What is the name of your custom kernel? The file name of the compiled kernel? The file name of the configuration file? Or the identification string within

Re: FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver

On Tue, Apr 30, 2013 at 07:48:50PM -0600, Brett Glass wrote: At 04:48 PM 4/30/2013, Glen Barber wrote: So, since I know you're not new to FreeBSD, if you feel there is a bug somewhere, please file a PR. I disagree that there is a problem, however, since users building a custom kernel should

Re: FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver

On Wed, May 01, 2013 at 04:47:48AM +0200, Melanie Schulte wrote: Hi, I disagree that there is a problem, however, since users building a custom kernel should _not_ use freebsd-update(8) for kernel upgrades. Could you please elaborate on that? I have also built my own kernel on my servers

Re: FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver

On Mon, Apr 29, 2013 at 04:08:22PM -0600, Brett Glass wrote: Please be advised that, when using freebsd-update(8) to install the patch for this security problem, freebsd-update will move the current kernel to /boot/kernel.old, and install a new GENERIC kernel in /boot/kernel, even if you have

Can't make everyone happy.... [Re: svn commit: r239569 - head/etc/rc.d]

On Tue, Sep 11, 2012 at 09:27:26PM -0400, Samuel Ports wrote: 63 deleted messages and counting Comments like this in this thread, and accusation of FreeBSD developers operating behind closed doors on other lists. It would be amusing, if it weren't so sad... Glen pgpzHM1Ulw5wS.pgp

Re: getting the running patch level

On Thu, Aug 09, 2012 at 03:31:25PM -0600, Brett Glass wrote: I realize that sysinstall is deprecated in favor of the new installer, but the new installer doesn't have the ability to install binary packages. Until and unless there's a convenient menu-based installer for binary packages, would

Re: periodic security run output gives false positives after 1 year

On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote: Hi, I see it many times before, but never take a time to post about it. Scrips in /etc/periodic are grepping logs for yesterday date, but without specifying year (because some logs do not have year logged). This results

Re: periodic security run output gives false positives after 1 year

On Thu, Feb 16, 2012 at 06:59:54PM +0100, Miroslav Lachman wrote: Glen Barber wrote: On Thu, Feb 16, 2012 at 06:04:34PM +0100, Miroslav Lachman wrote: Hi, I see it many times before, but never take a time to post about it. Scrips in /etc/periodic are grepping logs for yesterday date

Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix

is required, future advisories will mention it in the freebsd-update(8) instructions. They normally do for these cases, but please keep in mind that the security officer had issued three consecutive security advisories. Unfortunately, he's only human, too. :-) -- Glen Barber

Re: Cannot build or install Nessus on FreeBSD 9-beta2

then attempting to install from /usr/ports/security/nessus results in a successful build but when nessusd is started it errors out on 'libz.so.5 not found'. FreeBSD 9 is at libz.so.6. The misc/compat8x port should contain the 8.x-specific libraries you would need. Regards, -- Glen Barber