From owner-freebsd-questions@freebsd.org Wed Jan 20 16:58:18 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B7778A89600 for ; Wed, 20 Jan 2016 16:58:18 +0000 (UTC) (envelope-from mfv@bway.net) Received: from smtp1.bway.net (smtp1.v6.bway.net [IPv6:2607:d300:1::27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 97DEE1DFC; Wed, 20 Jan 2016 16:58:18 +0000 (UTC) (envelope-from mfv@bway.net) Received: from gecko4 (host-216-220-115-31.dsl.bway.net [216.220.115.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m1316v@bway.net) by smtp1.bway.net (Postfix) with ESMTPSA id A3BBA95861; Wed, 20 Jan 2016 11:58:08 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bway.net; s=mail; t=1453309088; bh=SFxlNcLiUMIAtSIT7FHx/0wT8adyf9I/wRRb69aJKJQ=; h=Date:From:To:Cc:Subject:In-Reply-To:References:Reply-To; b=Tc77DcpR3yaZ4HyEkUP/yo7B+CPAyBjRG/QiilPcj/VjsPa35MFm2Cpf/OU38t64a vrFYivctzNCun/QHX/UPF7dGky7yVZExjevNbPxgnSm67MSxXMBSRQakuP0rIinv0v 60xCiPsVIrWM4S0ICTDU8d/SNOlFjV2XNlECH7KM= Date: Wed, 20 Jan 2016 11:58:08 -0500 From: mfv To: Matthew Seaman Cc: freebsd-questions@freebsd.org Subject: Re: Downloading 10.2-RELEASE-p10 source without prayer Message-ID: <20160120115808.6133c482@gecko4> In-Reply-To: <569F4344.5020907@FreeBSD.org> References: <569F4344.5020907@FreeBSD.org> Reply-To: mfv@bway.net MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jan 2016 16:58:18 -0000 > On Wed, 2016-01-20 at 08:20 Matthew Seaman > wrote: > >On 20/01/2016 01:30, Chris Stankevitz wrote: >> On Tue, Jan 19, 2016 at 4:45 PM, Chris Stankevitz >> wrote: >>> > Of course I'm being sarcastic about the prayer... but is there a >>> > way (a tarball or special SVN tag/branch) to get the "official" >>> > 10.2-RELEASE-p10 code? What do the freebsd-update servers use? > >> I could just look at "svn log -l 1" and see if it jives more or less >> with the most recent freebsd-announce email. > >Depends how paranoid you want to be. > >If you download one of the DVD installation images, that should include >base system sources and will have offline checksums that you can >verify. > >You can then apply the patches from all of the SAs and ENs published >since, all of which are digitally signed. That's probably as good as >you can get in ensuring you've got authentic, untampered sources. > >Most people would find it good enough to use eg. freebsd-update -- the >updates are cryptographically signed, so you can be reasonably certain >that what it installs on your system is the same as what it has on the >servers. It does use a pretty direct connection to the master SVN >repository for obtaining the code it builds from, but you generally >have to trust that it is using unadulterated sources itself. >freebsd-update can maintain a copy of /usr/src for you. > >Or else you can just checkout the RELENG-10 branch from one of the SVN >mirrors: > ># cd /usr ># svn co https://svn.freebsd.org/base/releng/10.2 src > >The SSL cert on the server should be sufficient guarantee you've not >been spoofed into some MITM scenario. > > Cheers, > > Matthew > Hello Matthew, Thanks for outlining those steps for updating system source code. Being a bit on the paranoid side these are the steps have been following. Rather then using svn, however, I've been using svnup which for a single host seems to be sufficiently light weight. I've been using https for the protocol setting but was wondering if there is greater security using the svn protocol. Is one protocol more secure than another? Or does it really make a difference? Cheers ... Marek