Sorry for my delayed response. On Mon, Feb 03, 2020 at 01:57:10PM +0000, Glen Barber wrote: > First, if one installs from a snapshot, the MANIFEST file would only be > valid until the next snapshot build. > > The second and third problems are somewhat related: the various > distribution sets (base.txz, lib32.txz, etc.) are not updated with each > patch release. (I have been pondering the "right way(tm)" to do this > for some time, but that is more or less orthogonal to the real problem > at hand here.) The other issue is freebsd-update(8) does not work with > snapshot builds (from stable/X or head).
Oops. I hadn't realized freebsd-update, with the -r option, couldn't be used to upgrade to the next snapshot. Since that is the case, it seems fine to support -RELEASEs only. > But for X.Y-RELEASE, one could use 'bsdinstall jail' to create the jail, > then invoke freebsd-update(8) with the '-b' flag to the jail location. Right, and this is no different than the current situation. > The patch I have at the moment looks for the MANIFEST (rather, the > <arch>-<target_arch>-<X.Y-RELEASE>) file in the location they are > installed by the misc/freebsd-release-manifests package. This seems reasonable, but I think the checksum script is also used by the system installer (not just the jail setup script). Have you considered the possibility of simply publishing a detached signature with every MANIFEST, in a similar manner to what is done for the installer images? Those use PGP, requiring the gnupg package to verify, but OpenSSL could also be used. -nd. _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
