Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 9 Aug 2009 10:57:44 +0400
From: Solar Designer <>
Subject: Re: update from cvs

On Wed, Aug 05, 2009 at 11:41:33AM +0400, Anatoly Pugachev wrote:
> How do i update my /usr/src/world from the cvs tree ?

Owl/doc/DOWNLOAD, also available via the web at:

gives some basic information for accessing our FTP mirrors and anoncvs.

As it relates to your specific question - namely, updating an existing
local copy of the Owl CVS tree - you may do it as follows:

su - build make checkout

or maybe:

su - build
export CVS_RSH=ssh
cd native/Owl
cvs -z3 up -P's password: <type anoncvs here>

Lots of other variations are possible as well.

Our "native" tree is quite small - just 2 MB gzipped - so if you're on a
fast link, you may as well re-download native.tar.gz from one of the FTP
mirrors.  And you do in fact have to access an FTP mirror in order to
update the "sources" tree as well (which contains mostly the original
tarballs of software that we use in Owl).  You may do it like this:

su - build
mirror -Lev sources

If you do not intend to rebuild Owl from source, you will need to get
and keep up-to-date the RPMS directory for your architecture instead of
the "sources" tree, like this:

su - build
mirror -ev RPMS

For a non-current branch, such as 2.0-stable, everything is similar.
You need to access the proper FTP tree, such as /pub/Owl/2.0-stable, for
your initial download and for updates of the FTP'able trees.  However,
if you choose to update the "native" tree via anoncvs, then you do not
need to mention the branch name anywhere again - it is already "encoded"
in the tree, so the correct branch will be accessed automagically.

A closely related topic is verifying the integrity of your downloads.
You may check your downloads against the *.mtree files as follows:

su - build
get Owl.mtree
get native.tar.gz
mirror -Lev sources
mirror -Lev kernel
cd i386
get i386.mtree
mirror -ev RPMS
exit # from lftp
mtree -f Owl.mtree
mtree -f i386.mtree

This works both after initial downloads and after updates (lftp's
"mirror" commands download modified files only).

For Owl releases, such as 2.0-release, you should also download the
detached PGP signatures for the *.mtree files.  These are
Owl.mtree.sign, i386.mtree.sign, and the like.  To verify the mtree
files against the signatures, you run commands like:

gpg Owl.mtree.sign

with both Owl.mtree and Owl.mtree.sign being in the current directory.

Of course, you need to import our PGP key used for signatures first.
You can get it at:

or from the keyservers:

gpg --keyserver --recv-key 295029F1

It is a good idea to verify the key via the PGP web of trust.

We do not similarly sign *.mtree files for Owl branches (as opposed to
releases).  Perhaps this is something for us to fix (introduce another
signature key that would be suitable for use right on our build servers
or on the mirror feed).  Meanwhile, your best bet is to obtain the
*.mtree files right from the mirrors feed given here:

Then use those files to verify downloads from your mirror of choice.
Please do not download everything from the feed.  Just the *.mtree
files.  Of course, this is dirty and non-perfect, but that's what we
have right now...

For updates from anoncvs, some limited security may be provided by the
use of SSH, as shown above.  This way you only accept the host key
once, and you'll be assured that you're getting your updates from the
same server later (well, or from the same man-in-the-middle...), as long
as the server does not get compromised.

Now, what's my prize for the longest answer to the shortest question?


To unsubscribe, e-mail and reply
to the automated confirmation request that will be sent to you.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.