Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 13 Jan 2008 18:26:41 +0100
From:      "=?ISO-2022-JP?B?GyRCSjhEOxsoQg==?=" <bunchou@googlemail.com>
To:        freebsd-questions@freebsd.org, "Erik Cederstrand" <erik@cederstrand.dk>
Subject:   Re: Secure update of /usr/src
Message-ID:  <cb5b777d0801130926j56a20c5bx2a19555edd7ff071@mail.gmail.com>
In-Reply-To: <478A238A.4060106@cederstrand.dk>
References:  <cb5b777d0801130217r6467751ay634d0111617afc05@mail.gmail.com> <4789F7DE.9090905@cederstrand.dk> <cb5b777d0801130414l1f1427cekb49ee29a46140bf7@mail.gmail.com> <478A238A.4060106@cederstrand.dk>

next in thread | previous in thread | raw e-mail | index | archive | help
08/01/13 に Erik Cederstrand<erik@cederstrand.dk> さんは書きました:
> 文鳥 wrote:
> > 2008/1/13, Erik Cederstrand <erik@cederstrand.dk>:
> >> 文鳥 wrote:
> >>> Hello all,
> >>>
> >>> is there any way to securely follow the STABLE branch of FreeBSD, e.g.
> >>> a cryptographically signed distribution method like portsnap? Afaik,
> >>> the usual update methods (CVSup, etc.) do not include any
> >>> authentication / integrity checking. Am I missing something here?
> >> freebsd-update(8) is portsnap for the base system. However, you can only
> >> follow RELEASE branches, not STABLE.
> >>
> >> Erik
> >>
> > Thanks for the reply. Unfortunately, I need to follow STABLE and (to
> > be policy-compliant) at the same time make sure that the code has not
> > been tampered with by, for example, checking the signature. Is there a
> > way to do this for STABLE?
>
> Just making sure; you are aware that STABLE only means "stable API" and
> is in fact the cutting edge for the 6.x line, right? If you want to
> follow a stable release branch, as in "is tested, supported by security
> team, and will not break in interesting ways", RELEASE is the branch to
> follow. freebsd-update(8) will fetch the security updates for you as
> they are applied to the RELEASE branch.
>
> Erik
>
Yes, I am aware of that fact. However, 7.x STABLE is the only version
apart from CURRENT that I was able to get working reliably on the
hardware in question. And alas, even though the system in question is
used for testing only,I am still bound by the company security policy
in this matter... Guess I will have to wait until 7.0 is released.
Thanks for your help in this matter.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5b777d0801130926j56a20c5bx2a19555edd7ff071>