Re: bsdinstall and current (possible stable) snapshots

From: Sergey V. Dyatko <sergey.dyatko_at_gmail.com>
Date: Mon, 23 Mar 2015 19:47:57 +0300
On Mon, 23 Mar 2015 09:15:57 -0700
Nathan Whitehorn <nwhitehorn_at_freebsd.org> wrote: 

> 
> On 03/23/15 09:06, Devin Teske wrote:
> >> On Mar 22, 2015, at 10:47 PM, Sergey V. Dyatko <sergey.dyatko_at_gmail.com>
> >> wrote:
> >>
> >> Hi Devin,
> >>
> >> Recently I'm trying to install FreeBSD CURRENT from bootonly image
> >> ( FreeBSD-11.0-CURRENT-amd64-20150302-r279514-bootonly.iso)
> >> on IBM HS22 blade via bladecenter's kvm but I faced with problem on
> >> checksum stage, bootonly doesn't contain base, kernel,etc distributions
> >> but it contain manifest file.
> >> On mirrors we have  pub/FreeBSD/snapshots/${ARCH}/11.0-CURRENT/*txz and
> >> MANIFEST, sha256 sums from _local_ manifest doesn't match sha256 sums for
> >> fetched files. I suppose it will be fine with RELEASE bootonly iso but not
> >> with stable/current.
> >> there is 2 ways how we can handle it:
> >> 1) download remote MANIFEST if spotted checksum mismatch and trying to use
> >> it 2) allow user to continue installation with 'broken' distributions
> >>
> >> I had to first put 10.1 then update it to HEAD :(
> >>
> >> What do you think ?
> > When I get some time I’ll have a look and see what I can do.
> > —
> > Cheers,
> > Devin
> >
> >
> 
> Using the local manifest is a security feature -- there is otherwise 
> zero protection against a man-in-the-middle attack. Ideally, you'd use 
> the ISO that matches the posted files. There are three options here:
> 1. Add a dialog that lets you move ahead in the event of checksum 
> failure, which makes me very nervous.
> 2. Use the boot1 disk.
> 2a. For release engineering: if the posted tarballs change too fast, the 
> bootonly disk isn't actually useful for -CURRENT and should probably be 
> removed from the FTP server.

I don't think so. I use only bootonly ISOs when I (rare) setup new
fbsd instances, disk1 contain to much useless (for me) things.  I
haven't fast internet (in 2015, yes) so download data1 image is a pain. 

What about STABLE images/tarballs  ? If I understand correctly it is also
uploaded too fast...

> 3. You could reroll the ISO (just untar and run makefs again), 
> commenting out line 180 of /usr/libexec/bsdinstall/scripts/auto.
> -Nathan

sure I can. 
Idea with a dialog is  a good idea, IMO :)

--
wbr, tiger
Received on Mon Mar 23 2015 - 15:49:29 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:56 UTC