From owner-freebsd-questions@FreeBSD.ORG Sun Jan 13 17:26:42 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D1A616A41B for ; Sun, 13 Jan 2008 17:26:42 +0000 (UTC) (envelope-from bunchou@googlemail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.184]) by mx1.freebsd.org (Postfix) with ESMTP id E351A13C44B for ; Sun, 13 Jan 2008 17:26:41 +0000 (UTC) (envelope-from bunchou@googlemail.com) Received: by rv-out-0910.google.com with SMTP id l15so1852806rvb.43 for ; Sun, 13 Jan 2008 09:26:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=ip46wScUQTd2zLaDR8O7+8Bvtvi9nAAdn16nSJzN9Sg=; b=rKApEryZ/Eu5ZS2vcRz/GpiVDLelWJ1ZyYMgvhORFy1FiTTnYzor00cbeNW7+Gchay6EoErvhfsYHJ4QBzzEq1EVJWYvCw5D0dQczJ6EuRgMp7PCc8aXlQIGuryhZVcmjUrjG+Tax2O5oK2WBQ13bN53SgaCqHg9VDYnh5BTNE0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=NkUIMhQHfoqjJ7JrNJmXaAAHwoC+B4G3bO5NH88gny6JK3qcVE5s6BLsECHgc2p06hkMIs4iId+8OfZu27iqRqU4QJuwnTXgEfC7NPT4Cl/6OhPgR1zfBYyHYFYmT5Wj7HMqdw0O+VD8QPEh4vh9aaMAKXhsU65RoJJtISklweI= Received: by 10.141.74.17 with SMTP id b17mr3268750rvl.123.1200245201481; Sun, 13 Jan 2008 09:26:41 -0800 (PST) Received: by 10.141.128.21 with HTTP; Sun, 13 Jan 2008 09:26:41 -0800 (PST) Message-ID: Date: Sun, 13 Jan 2008 18:26:41 +0100 From: "=?ISO-2022-JP?B?GyRCSjhEOxsoQg==?=" To: freebsd-questions@freebsd.org, "Erik Cederstrand" In-Reply-To: <478A238A.4060106@cederstrand.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <4789F7DE.9090905@cederstrand.dk> <478A238A.4060106@cederstrand.dk> Cc: Subject: Re: Secure update of /usr/src X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jan 2008 17:26:42 -0000 08/01/13 に Erik Cederstrand さんは書きました: > 文鳥 wrote: > > 2008/1/13, Erik Cederstrand : > >> 文鳥 wrote: > >>> Hello all, > >>> > >>> is there any way to securely follow the STABLE branch of FreeBSD, e.g. > >>> a cryptographically signed distribution method like portsnap? Afaik, > >>> the usual update methods (CVSup, etc.) do not include any > >>> authentication / integrity checking. Am I missing something here? > >> freebsd-update(8) is portsnap for the base system. However, you can only > >> follow RELEASE branches, not STABLE. > >> > >> Erik > >> > > Thanks for the reply. Unfortunately, I need to follow STABLE and (to > > be policy-compliant) at the same time make sure that the code has not > > been tampered with by, for example, checking the signature. Is there a > > way to do this for STABLE? > > Just making sure; you are aware that STABLE only means "stable API" and > is in fact the cutting edge for the 6.x line, right? If you want to > follow a stable release branch, as in "is tested, supported by security > team, and will not break in interesting ways", RELEASE is the branch to > follow. freebsd-update(8) will fetch the security updates for you as > they are applied to the RELEASE branch. > > Erik > Yes, I am aware of that fact. However, 7.x STABLE is the only version apart from CURRENT that I was able to get working reliably on the hardware in question. And alas, even though the system in question is used for testing only,I am still bound by the company security policy in this matter... Guess I will have to wait until 7.0 is released. Thanks for your help in this matter.