From owner-freebsd-questions@FreeBSD.ORG Tue Jan 3 03:15:35 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5944316A41F for ; Tue, 3 Jan 2006 03:15:35 +0000 (GMT) (envelope-from gayn.winters@bristolsystems.com) Received: from fed1rmmtao08.cox.net (fed1rmmtao08.cox.net [68.230.241.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC1D143D48 for ; Tue, 3 Jan 2006 03:15:34 +0000 (GMT) (envelope-from gayn.winters@bristolsystems.com) Received: from workdog ([68.228.71.3]) by fed1rmmtao08.cox.net (InterMail vM.6.01.05.02 201-2131-123-102-20050715) with ESMTP id <20060103031338.YIWH26964.fed1rmmtao08.cox.net@workdog> for ; Mon, 2 Jan 2006 22:13:38 -0500 From: "Gayn Winters" To: Date: Mon, 2 Jan 2006 19:15:06 -0800 Organization: Bristol Systems Inc. Message-ID: <040e01c61013$e83bbd10$6501a8c0@workdog> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: freebsd-update defaults and restrictions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: gayn.winters@bristolsystems.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2006 03:15:35 -0000 Colin Percival's freebsd-update utility has a number of options/flags that I can't figure out from man freebsd-update or man freebsd-update.conf or freebsd-update.conf.sample Syntax: freebsd-update [-b basedir] [--branch branchname] [-k KEY] command [URL] -b basedir "Act on a FreeBSD world based at ... basedir" What does this mean? If omitted, what is the default? --branch branchname Possibilities are nocrypto, crypto, ... . The example in Bejtlich's paper www.taosecurity.com/keeping_freebsd_up-to-date.html doesn't use --branch, and yet he implies the default is crypto and that most installations need crypto. Is the default crypto? How would I know what I need? -k KEY "A public key with a given MD5 hash" URL "The URL from which updates are fetched" The above two can also be specified in freebsd-update.conf and the sample file has URL pointing to update.daemonology.net (Colin's web server). Bejtlich states that the KEY and the URL in the .conf file are cooked to get updates from Colin's site, and to use the sample file "if you trust [Colin] to securely build binary updates for you to blindly install ..." Aside from Bejtlich's obvious tongue-in-cheek negativity (they are both security guys after all, and Colin is the FreeBSD security officer), are there other possible sites for updates? How do I figure out a correct value for KEY if I know the URL? Incidentally, the KEY and the URL are required, since they either need to be specified on the command line as in the above syntax or via the configuration file. Finally, freebsd-update must operate on a GENERIC kernel, but does this mean I can still use device.hints? Any help would be greatly appreciated. -gayn Bristol Systems Inc. 714/532-6776 www.bristolsystems.com