From owner-freebsd-questions@freebsd.org  Wed Jan 20 17:26:10 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49C25A8A2E6
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Wed, 20 Jan 2016 17:26:10 +0000 (UTC)
 (envelope-from matthew@freebsd.org)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
 [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.infracaninophile.co.uk",
 Issuer "infracaninophile.co.uk" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id C7FB81217
 for <freebsd-questions@freebsd.org>; Wed, 20 Jan 2016 17:26:09 +0000 (UTC)
 (envelope-from matthew@freebsd.org)
Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com
 [85.199.232.226] (may be forged)) (authenticated bits=0)
 by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id u0KHPuqu011629
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO);
 Wed, 20 Jan 2016 17:25:56 GMT (envelope-from matthew@freebsd.org)
Authentication-Results: smtp.infracaninophile.co.uk;
 dmarc=none header.from=freebsd.org
DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk u0KHPuqu011629
Authentication-Results: smtp.infracaninophile.co.uk/u0KHPuqu011629;
 dkim=none; dkim-atps=neutral
X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host
 no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be
 ox-dell39.ox.adestra.com
Subject: Re: Downloading 10.2-RELEASE-p10 source without prayer
To: mfv@bway.net
References: <CAPi0psv=XoZ4Zd_J4g-dLLOTtD9FCCbdiTn7AaA6BX4QwS4-og@mail.gmail.com>
 <CAPi0psuP96f--dnRKpWZaDtsKX-1N=n+4hJ_yhwnB19-iOHaKg@mail.gmail.com>
 <569F4344.5020907@FreeBSD.org> <20160120115808.6133c482@gecko4>
Cc: freebsd-questions@freebsd.org
From: Matthew Seaman <matthew@freebsd.org>
X-Enigmail-Draft-Status: N1110
Message-ID: <569FC320.1080906@freebsd.org>
Date: Wed, 20 Jan 2016 17:25:52 +0000
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101
 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <20160120115808.6133c482@gecko4>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="fPetE9BdaMv6ND98KBM4n04jNx6jMGoqJ"
X-Virus-Scanned: clamav-milter 0.99 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00
 autolearn=ham autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 lucid-nonsense.infracaninophile.co.uk
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2016 17:26:10 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fPetE9BdaMv6ND98KBM4n04jNx6jMGoqJ
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 01/20/16 16:58, mfv wrote:
>> On Wed, 2016-01-20 at 08:20 Matthew Seaman <matthew@FreeBSD.org>
>> wrote:
>>
>> On 20/01/2016 01:30, Chris Stankevitz wrote:
>>> On Tue, Jan 19, 2016 at 4:45 PM, Chris Stankevitz
>>> <chrisstankevitz@gmail.com> wrote: =20
>>>>> Of course I'm being sarcastic about the prayer... but is there a
>>>>> way (a tarball or special SVN tag/branch) to get the "official"
>>>>> 10.2-RELEASE-p10 code?  What do the freebsd-update servers use? =20
>>
>>> I could just look at "svn log -l 1" and see if it jives more or less
>>> with the most recent freebsd-announce email. =20
>>
>> Depends how paranoid you want to be.
>>
>> If you download one of the DVD installation images, that should includ=
e
>> base system sources and will have offline checksums that you can
>> verify.
>>
>> You can then apply the patches from all of the SAs and ENs published
>> since, all of which are digitally signed.  That's probably as good as
>> you can get in ensuring you've got authentic, untampered sources.
>>
>> Most people would find it good enough to use eg. freebsd-update -- the=

>> updates are cryptographically signed, so you can be reasonably certain=

>> that what it installs on your system is the same as what it has on the=

>> servers.  It does use a pretty direct connection to the master SVN
>> repository for obtaining the code it builds from, but you generally
>> have to trust that it is using unadulterated sources itself.
>> freebsd-update can maintain a copy of /usr/src for you.
>>
>> Or else you can just checkout the RELENG-10 branch from one of the SVN=

>> mirrors:
>>
>> # cd /usr
>> # svn co https://svn.freebsd.org/base/releng/10.2 src
>>
>> The SSL cert on the server should be sufficient guarantee you've not
>> been spoofed into some MITM scenario.
>>
>> 	Cheers,
>>
>> 	Matthew
>>
>=20
> Hello Matthew,
>=20
> Thanks for outlining those steps for updating system source code. Being=

> a bit on the paranoid side these are the steps have been following.
> Rather then using svn, however, I've been using svnup which for a
> single host seems to be sufficiently light weight.
>=20
> I've been using https for the protocol setting but was wondering if
> there is greater security using the svn protocol.  Is one protocol more=

> secure than another?  Or does it really make a difference?

There's not a lot of difference functionality- or performance-wise as
far as an end-user is concerned.  However, only https gives you any
assurance that you are connecting to the server you thought you were.
You will need to check the cert -- svn will ask you about it the first
time you connect.

	Cheers,

	Matthew



--fPetE9BdaMv6ND98KBM4n04jNx6jMGoqJ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWn8MgAAoJEABRPxDgqeTn3wYP/1Ja7bGWOMtAeuY5OtIkzjJ9
EVXmF6MqAC2+E+P9kZN1utDzvOTefBbWlqX2pItmR6+pXzeWigImmY9kxwuEYgBK
zWhHK9cuBnGWnkpi+l1jHmsMIHrMlaTtwk8rtzZb4r51IdEEJrH1AIvEav/p+qaW
95tAeaDFxSK2vCWpAFBrczsNGZCLH7kMTQF6sv9Bv2ppmr3OdoI5/IDPLbH1CtL5
YDAm8mioU0yfEipOICda9LXWaqlRR6QmxfFzKHx+EF05HaYyQnN/ycLTIXDDN+4w
48E1tJvTkSCvWjoibVNs7yPM0+ovlwPcZljKNJSMivxXpNIh36hhcR0Zp/JQs5XG
JA7pPpJumU32sKipci4u64FtYKK2nuH01zsgBUg9zXTVsBWjeYED1NcWuuX6IqCf
O+3L1OcMZyBoEMEOc6VhoXdNEq5MSK0fDzMzz1WTV8kq8fOX40ImFDsabF926rpO
Z5py3TDp08XklJYbAUmt8KoH0QORGmU+qz0TNMHHr5bai/Ank+grGuHa7903dcLD
Sc3o7b45R1bThuL0JUrY52LUW8J/imnS2X1S0Ryh/T09apQJip26PgHXO8vgqtnC
cJgkcaFcwOF6UIVG89FjN0atVN6FfkOvOmO64JDdhVMWVDUEkz0XGn0q2XmdmbcT
R7F8GqFw8yTGXQZvQR13
=fX+V
-----END PGP SIGNATURE-----

--fPetE9BdaMv6ND98KBM4n04jNx6jMGoqJ--