freebsd-update defaults and restrictions

Chris Maness chris at chrismaness.com
Sat Sep 23 10:27:08 PDT 2006 

> Colin Percival's *freebsd-update* utility has a number of options/flags
> that I can't figure out from
> man *freebsd-update* or
> man *freebsd-update*.conf or
> *freebsd-update*.conf.sample
>
> Syntax:
> *freebsd-update* [-b basedir] [--branch branchname] [-k *KEY*] command 
> [URL]
>
> -b basedir "Act on a FreeBSD world based at ... basedir"  
> What does this mean?  If omitted, what is the default?
>
> --branch branchname  Possibilities are nocrypto, crypto, ... .
> The example in Bejtlich's paper
> www.taosecurity.com/keeping_freebsd_up-to-date.html 
> <http://www.taosecurity.com/keeping_freebsd_up-to-date.html>
> doesn't use --branch, and yet he implies the default is crypto and that
> most installations need crypto.  Is the default crypto?  How would I
> know what I need?
>
> -k *KEY*  "A public *key* with a *given* MD5 hash"
> URL     "The URL from which updates are fetched"
>
> The above two can also be specified in *freebsd-update*.conf and the
> sample file has URL pointing to update.daemonology.net (Colin's web
> server).  Bejtlich states that the *KEY* and the URL in the .conf file 
> are
> cooked to get updates from Colin's site, and to use the sample file "if
> you trust [Colin] to securely build binary updates for you to blindly
> install ..."  Aside from Bejtlich's obvious tongue-in-cheek negativity
> (they are both security guys after all, and Colin is the FreeBSD
> security officer), are there other possible sites for updates?  How do I
> figure out a correct value for *KEY* if I know the URL?  Incidentally, 
> the
> *KEY* and the URL are required, since they either need to be specified on
> the command line as in the above syntax or *via* the configuration file.
>
> Finally, *freebsd-update **must* operate on a GENERIC kernel, but does 
> this
> mean I can still use device.hints?
>
> Any help would be greatly appreciated.
>
> -gayn
>
> Bristol Systems Inc.
> 714/532-6776
> www.bristolsystems.com <http://www.bristolsystems.com> 
If freebsd-update installs new kernel modules, will the system have to 
be re-booted?  If the system does need to be re-booted, will 
freebsd-update do it?  If I have to manually reboot, when do I know a 
particular update calls for re-booting?

Sorry for the 20 questions.

Chris Maness

More information about the freebsd-questions mailing list