From owner-freebsd-stable@freebsd.org  Mon Aug 13 00:50:55 2018
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 890A7105D166
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Mon, 13 Aug 2018 00:50:55 +0000 (UTC)
 (envelope-from prvs=0763b2422b=ari@ish.com.au)
Received: from fish.ish.com.au (ip-2.ish.com.au [203.29.62.2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 07CAE81C1C
 for <freebsd-stable@freebsd.org>; Mon, 13 Aug 2018 00:50:54 +0000 (UTC)
 (envelope-from prvs=0763b2422b=ari@ish.com.au)
Received: from ip-145.ish.com.au ([203.29.62.145]:54165)
 by fish.ish.com.au with esmtpsa (TLSv1.2:AES128-SHA:128)
 (Exim 4.82_1-5b7a7c0-XX) (envelope-from <ari@ish.com.au>)
 id 1fp146-0000yE-27
 for freebsd-stable@freebsd.org; Mon, 13 Aug 2018 10:50:35 +1000
X-CTCH-RefID: str=0001.0A150208.5B70D5DA.011F:SCFSTAT42589845, ss=1, re=-4.000,
 recu=0.000, reip=0.000, cl=1, cld=1, fgs=0
To: freebsd-stable <freebsd-stable@freebsd.org>
From: Aristedes Maniatis <ari@ish.com.au>
Subject: freebsd-update IDS: fixing errors
Message-ID: <b8ddeb62-efd0-ffa2-ce9c-79ce9edb538f@ish.com.au>
Date: Mon, 13 Aug 2018 10:50:34 +1000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0)
 Gecko/20100101 Thunderbird/60.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2018 00:50:55 -0000

I'd like to use "freebsd-update IDS" as a simple intrusion check. I have 
a separate mechanism to test that
freebsd-update itself hasn't been modified.

However I get lots of lines like this:

/usr/share/man/man4/if_ixgbe.4.gz has SHA256 hash 
859cc19faf7a511755409aa143b24ccb2c998bbc99a5972d1d7aa70f37611a65, but 
should have SHA256 hash 
5652698ae3834e8cfbb2d0e5a95fe7984a6656f0a6c792e88ea8f2c75873555e.


Two questions:

1. What causes these mismatches? Does IDS not take into account minor 
updates or something else?

2. Is there a simple way to fix this that doesn't involve a system 
reinstall? Just unzip the FreeBSD tz files and copy over the relevant 
bits? Could that be added as a feature to the IDS command?


Ari