freebsd stable - Jul 2006 - FreeBSD 6.0->6.1 binary upgrade script

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear FreeBSD 6.0 users,

Those of you who read my blog (http://www.daemonology.net/blog/) will have seen
this already; but for those of you who don't: I have written an automatic
script
for performing binary FreeBSD 6.0 -> FreeBSD 6.1 upgrades.

This script will install exactly the same files as are distributed on the ISO
image, and it will attempt to automatically merge configuration file changes (in
the very unlikely case that it cannot automatically merge changes, it will ask
you to merge the changes for it).  The script takes approximately 15 minutes,
and typically downloads under 20MB of files and binary patches.

Naturally, the cryptographic hashes of all the files are verified against values
stored in the script, so as long as you trust the FreeBSD Security Officer (and
if you don't, why are you running FreeBSD?), the process is entirely secure.

The script can be obtained from
  http://www.daemonology.net/freebsd-upgrade-6.0-to-6.1/
and the SHA256 hash of the download is
  29075fc5711e0b20d879c69d12bbe5414c1c56d597c8116da7acc0d291116d2f .

Colin Percival
FreeBSD Security Officer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQFEsLNnMt4ezdCTR/wRAmRUAKDQFOFxK3y58/vy0Vzx8sov8synWgCg4sYG
UfDhAxNjWRq7+zawVvM8cp0=3gBy
-----END PGP SIGNATURE-----

On Sun, 2006-Jul-09 00:42:31 -0700, Colin Percival
wrote:
> I have written an automatic script
>for performing binary FreeBSD 6.0 -> FreeBSD 6.1 upgrades.
That sounds useful.  Are you intending to provide this for future
FreeBSD minor-revision releases?
>Naturally, the cryptographic hashes of all the files are verified
>against values stored in the script, so as long as you trust the
>FreeBSD Security Officer (and if you don't, why are you running
>FreeBSD?), the process is entirely secure.
But how can I tell that the script came from the FreeBSD Security
Officer?  You have signed your mail with a key (ID 0xD09347FC) that
claims to be a Colin Percival with an Oxford Uni address (whereas this
mail has a freebsd.org address) but the key that I downloaded from a
PGP keyserver has no other signatures.  You don't have a key in the
FreeBSD CVS repository that I can locate and I can't find any keys on
www.daemonology.net.  Basically, I only have your word that you are
who you claim to be.

(Of course, I still need to be able to trust the FreeBSD CVS repository
but if I can't trust that, I can't trust my OS either).

If you really are the FreeBSD Security Officer why can't I find copies
of your key and FreeBSD SO key (0xCA6CDFB2) that are counter-signed
by each other?

-- 
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20060709/caebba8d/attachment.pgp