Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20090809065744.GA19364@openwall.com>
Date: Sun, 9 Aug 2009 10:57:44 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: update from cvs

On Wed, Aug 05, 2009 at 11:41:33AM +0400, Anatoly Pugachev wrote:
> How do i update my /usr/src/world from the cvs tree ?

Owl/doc/DOWNLOAD, also available via the web at:

http://www.openwall.com/Owl/DOWNLOAD.shtml

gives some basic information for accessing our FTP mirrors and anoncvs.

As it relates to your specific question - namely, updating an existing
local copy of the Owl CVS tree - you may do it as follows:

su - build
CVSROOT=:pserver:anoncvs:anoncvs@...ncvs.owl.openwall.com:/cvs make checkout

or maybe:

su - build
export CVS_RSH=ssh CVSROOT=anoncvs@...ncvs.owl.openwall.com:/cvs
cd native/Owl
cvs -z3 up -P
anoncvs@...ncvs.owl.openwall.com's password: <type anoncvs here>

Lots of other variations are possible as well.

Our "native" tree is quite small - just 2 MB gzipped - so if you're on a
fast link, you may as well re-download native.tar.gz from one of the FTP
mirrors.  And you do in fact have to access an FTP mirror in order to
update the "sources" tree as well (which contains mostly the original
tarballs of software that we use in Owl).  You may do it like this:

su - build
lftp ftp://ftp.fr.openwall.com/pub/Owl/current/
mirror -Lev sources

If you do not intend to rebuild Owl from source, you will need to get
and keep up-to-date the RPMS directory for your architecture instead of
the "sources" tree, like this:

su - build
lftp ftp://ftp.fr.openwall.com/pub/Owl/current/i386/
mirror -ev RPMS

For a non-current branch, such as 2.0-stable, everything is similar.
You need to access the proper FTP tree, such as /pub/Owl/2.0-stable, for
your initial download and for updates of the FTP'able trees.  However,
if you choose to update the "native" tree via anoncvs, then you do not
need to mention the branch name anywhere again - it is already "encoded"
in the tree, so the correct branch will be accessed automagically.

A closely related topic is verifying the integrity of your downloads.
You may check your downloads against the *.mtree files as follows:

su - build
lftp ftp://ftp.fr.openwall.com/pub/Owl/current/
get Owl.mtree
get native.tar.gz
mirror -Lev sources
mirror -Lev kernel
cd i386
get i386.mtree
mirror -ev RPMS
exit # from lftp
mtree -f Owl.mtree
mtree -f i386.mtree

This works both after initial downloads and after updates (lftp's
"mirror" commands download modified files only).

For Owl releases, such as 2.0-release, you should also download the
detached PGP signatures for the *.mtree files.  These are
Owl.mtree.sign, i386.mtree.sign, and the like.  To verify the mtree
files against the signatures, you run commands like:

gpg Owl.mtree.sign

with both Owl.mtree and Owl.mtree.sign being in the current directory.

Of course, you need to import our PGP key used for signatures first.
You can get it at:

http://www.openwall.com/signatures/

or from the keyservers:

gpg --keyserver wwwkeys.eu.pgp.net --recv-key 295029F1

It is a good idea to verify the key via the PGP web of trust.

We do not similarly sign *.mtree files for Owl branches (as opposed to
releases).  Perhaps this is something for us to fix (introduce another
signature key that would be suitable for use right on our build servers
or on the mirror feed).  Meanwhile, your best bet is to obtain the
*.mtree files right from the mirrors feed given here:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/doc/MIRRORING?rev=HEAD

Then use those files to verify downloads from your mirror of choice.
Please do not download everything from the feed.  Just the *.mtree
files.  Of course, this is dirty and non-perfect, but that's what we
have right now...

For updates from anoncvs, some limited security may be provided by the
use of SSH, as shown above.  This way you only accept the host key
once, and you'll be assured that you're getting your updates from the
same server later (well, or from the same man-in-the-middle...), as long
as the server does not get compromised.

Now, what's my prize for the longest answer to the shortest question?

Alexander

-- 
To unsubscribe, e-mail owl-users-unsubscribe@...ts.openwall.com and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.