Re: Binary kernel and base update
[EMAIL PROTECTED] wrote: OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? You can do binary updates. On your build machine just update to -stable and do make release, then upgrade your machines.
Re: Binary kernel and base update
Hi, Try this URL: http://www.google.nl/search?q=openbsd+binary+upgrade # Han
Re: Binary kernel and base update
On Tue, Apr 10, 2007 at 01:43:56AM +0200, [EMAIL PROTECTED] wrote:
> I have noticed that the OpenBSD team puts a lot of emphasis on
> using binary packets rather than building from ports, which I
> think IMHO is good, but why is it that there is no binary kernel
> updates, rather than patching the kernel from source?
Among the several likely reasons I can think of, one obvious one is
that there simply isn't enough hardware or free development time to
manage that infrastructure. It takes time and work to make binary
patches, and OpenBSD isn't as large (or as well-funded) a project as
Debian, which you mention later.
[...]
> Last week management decided to go back to using Debian on some of
> our servers due to them being easy to upgrade including kernel and
> basesystem upgrades.
OpenBSD is quite easy to upgrade if you have a build host for your
network. Setting one up on a spare box is rather straightforward
(release(8), among other things).
--
o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*--[ BSD Unix: Live Free or Die ]--*
Re: Binary kernel and base update
On Tue, Apr 10, 2007 at 01:43:56AM +0200, [EMAIL PROTECTED] wrote: > Hi all. > > I have noticed that the OpenBSD team puts a lot of emphasis on using binary > packets rather than building from ports, which I think IMHO is good, but why > is it that there is no binary kernel updates, rather than patching the kernel > from source? We have stated this numerous times, but maybe it's not easy to find in the archives because there is no obvious subject: not enough resources. Binary updates for the whole system would be desireable, but we simply do not have the time to do it right (for now). The infrastructure is totally geared towards -current. There are just few resources devoted to -stable packages, and almost none towards stable source. Some people external to the project are providing you with binpatch and binary updates. As long as you trust them, you can use their work...
Re: Binary kernel and base update
On Tue, 10 Apr 2007 01:43:56 +0200 [EMAIL PROTECTED] wrote: Thanks to all for the kind and enlightening answers. When I read that it was mainly due to lack of people and so, and not because that it was a bad idea, I then hope OpenBSD will keep expanding, and one day have all the resources which it needs. > Hi all. > > I have noticed that the OpenBSD team puts a lot of emphasis on using binary > packets rather than building from ports, which I think IMHO is good, but why > is it that there is no binary kernel updates, rather than patching the kernel > from source? > > I am asking this not from a point that we find this difficult, rather in > OpenBSD its really easy. But sometimes its very time consuming, and yes there > exists binpatch and other solutions, but why isn't there an official OpenBSD > way? > > Last week management decided to go back to using Debian on some of our servers > due to them being easy to upgrade including kernel and basesystem upgrades. > > OpenBSD has really made a cool solution with pkg_add -u, but why not kernel > and basesystem binary updates as well? > > Best and kind regards. > > Rico
Re: Binary kernel and base update
On Tuesday, April 10, 2007 at 11:36:08 +0200, Marc Espie wrote: >We have stated this numerous times, but maybe it's not easy to find in the >archives because there is no obvious subject: not enough resources. >Binary updates for the whole system would be desireable, but we simply do >not have the time to do it right (for now). What do you consider to be 'right'? I guess all supported architectures, including X and for the latest and previous release. >The infrastructure is totally geared towards -current. There are just few >resources devoted to -stable packages, and almost none towards stable >source. I can build releases of the stable tree on a regular basis for 6 architectures, but not all of them. In case there are any plans and I can help, just let me know. >Some people external to the project are providing you with binpatch and >binary updates. As long as you trust them, you can use their work... I found some instructions and scripts, but no ready-to-download binaries. Someone interested to set something up? I suppose this will be external to the project, because I doubt we can do it 'right' either. Maurice
Re: Binary kernel and base update
Maurice Janssen wrote: On Tuesday, April 10, 2007 at 11:36:08 +0200, Marc Espie wrote: We have stated this numerous times, but maybe it's not easy to find in the archives because there is no obvious subject: not enough resources. Binary updates for the whole system would be desireable, but we simply do not have the time to do it right (for now). What do you consider to be 'right'? I guess all supported architectures, including X and for the latest and previous release. I would assume so, but real feedback may be nice to get to be sure. The infrastructure is totally geared towards -current. There are just few resources devoted to -stable packages, and almost none towards stable source. I can build releases of the stable tree on a regular basis for 6 architectures, but not all of them. In case there are any plans and I can help, just let me know. If there was a real concrete effort, not just the usual vapor ware, I would/could offer hosting in Equinix peering point, for downloading binaries, and/or even setup hardware to have it done automatically like the current, however, I do not know the setup or configuration of that setup to produce the current binaries. If that was for real, I wouldn't be oppose to get the hardware to do it natively and get it going. Just my own experience however, there is always many users saying they would do it, but when the time comes, well. Some people external to the project are providing you with binpatch and binary updates. As long as you trust them, you can use their work... I found some instructions and scripts, but no ready-to-download binaries. Someone interested to set something up? I suppose this will be external to the project, because I doubt we can do it 'right' either. Not to put the burning on anyone here, but if that was going to be done, I would love to be sure it is done properly, meaning with some guidance of devs to follow the same standard as the project if possible. At a minimum, just a hosting of good and reliable binaries would already be great. In any case, I am not sure where this will go, or if anywhere, but if there is a real effort, I would do my share and can put it on openbsdsupport.org as well if that help some. There have been talk on this subject for years and I suspect it will continue for more, but I may be wrong. Daniel
Re: Binary kernel and base update
On Friday, April 13, 2007 at 15:16:41 -0400, Daniel Ouellet wrote: >If there was a real concrete effort, not just the usual vapor ware, I >would/could offer hosting in Equinix peering point, for downloading >binaries, That's in the US? Is that OK with regard to export restrictions? >Not to put the burning on anyone here, but if that was going to be done, >I would love to be sure it is done properly, meaning with some guidance >of devs to follow the same standard as the project if possible. The FAQ and release(8) should give some guidance. IMHO enough to build a release that can be used as binary update. >At a minimum, just a hosting of good and reliable binaries would already >be great. ACK. >In any case, I am not sure where this will go, or if anywhere, but if >there is a real effort, I would do my share and can put it on >openbsdsupport.org as well if that help some. > >There have been talk on this subject for years and I suspect it will >continue for more, but I may be wrong. Well, let's see if we can finally do something about it. I can build the kernel+system for the latest stable release for 6 architectures (i386, sparc, sparc64, hppa, alpha and vax). I don't have the hardware to build the previous release or other architectures, but it's a start. I hope others will jump in to fill in the gaps and also have some spare capacity in case something breaks. Maurice
Re: Binary kernel and base update
Maurice Janssen wrote: On Friday, April 13, 2007 at 15:16:41 -0400, Daniel Ouellet wrote: If there was a real concrete effort, not just the usual vapor ware, I would/could offer hosting in Equinix peering point, for downloading binaries, That's in the US? Is that OK with regard to export restrictions? Hmmm... You got a point there. I always forget about the backward mentality of some leaders (hmmm, wonder if the term apply really) in this place where they think everyone else is behind in technology, etc. But download of files is available from many Universities in the US as well. Are they blocking the download for US only? So, I can't do it then, can I, not even built the binaries either? I don't have the answer, but you raise a good point that I didn't think about. Not been born here doesn't help me to narrow my thinking I guess. And we call that a global network?
Re: Binary kernel and base update
On Fri, 13 Apr 2007 15:16:41 -0400 Daniel Ouellet <[EMAIL PROTECTED]> wrote: > Not to put the burning on anyone here, but if that was going to be done, > I would love to be sure it is done properly, meaning with some guidance > of devs to follow the same standard as the project if possible. Any comments from the devs now that some guys really want to make an effort? Lets get it up and running! > At a minimum, just a hosting of good and reliable binaries would already > be great. > > In any case, I am not sure where this will go, or if anywhere, but if > there is a real effort, I would do my share and can put it on > openbsdsupport.org as well if that help some. > > There have been talk on this subject for years and I suspect it will > continue for more, but I may be wrong.
Re: Binary kernel and base update
On 13/04/07, Daniel Ouellet <[EMAIL PROTECTED]> wrote: Maurice Janssen wrote: > On Friday, April 13, 2007 at 15:16:41 -0400, Daniel Ouellet wrote: >> If there was a real concrete effort, not just the usual vapor ware, I >> would/could offer hosting in Equinix peering point, for downloading >> binaries, > > That's in the US? Is that OK with regard to export restrictions? Hmmm... You got a point there. I always forget about the backward mentality of some leaders (hmmm, wonder if the term apply really) in this place where they think everyone else is behind in technology, etc. But download of files is available from many Universities in the US as well. Are they blocking the download for US only? So, I can't do it then, can I, not even built the binaries either? I don't have the answer, but you raise a good point that I didn't think about. Not been born here doesn't help me to narrow my thinking I guess. And we call that a global network? Not backed by any research or asking, but kth.se and uio.no seem to be happy to mirror quite a bit of stuff, and I believe also on rather good connections. Probably quite a few other mirrors would be happy to host this, if this would take off. So I guess the major point is getting in place the infrastructure to build things, and setting a procedure to do so. Also possibly preparing a way to apply those binary patches, but the current upgrade procedures do the trick as well. -- viq
Re: Binary kernel and base update
Maurice Janssen wrote: On Tuesday, April 10, 2007 at 11:36:08 +0200, Marc Espie wrote: We have stated this numerous times, but maybe it's not easy to find in the archives because there is no obvious subject: not enough resources. Binary updates for the whole system would be desireable, but we simply do not have the time to do it right (for now). My company has to provide -stable base system and especially packages on at least i386 for it's customers. We have a fan-out box to which customer systems connect (the PKG_PATH points to it). This works really nice an we can distribute security updates like e.g. ClamAV within minutes to all machines we take care of. If there is interest in this, we could make it available as a (paid, but reasonably priced) service. Contact me off-list if interested.
Re: Binary kernel and base update
On Friday, April 13, 2007 at 17:21:14 -0400, Daniel Ouellet wrote: >Maurice Janssen wrote: >>On Friday, April 13, 2007 at 15:16:41 -0400, Daniel Ouellet wrote: >>>If there was a real concrete effort, not just the usual vapor ware, I >>>would/could offer hosting in Equinix peering point, for downloading >>>binaries, >> >>That's in the US? Is that OK with regard to export restrictions? > >Hmmm... You got a point there. I always forget about the backward >mentality of some leaders (hmmm, wonder if the term apply really) in >this place where they think everyone else is behind in technology, etc. > >But download of files is available from many Universities in the US as >well. Are they blocking the download for US only? I guess most of the time, it isn't checked. But that doesn't mean that we shouldn't do it by the book. >So, I can't do it then, can I, not even built the binaries either? As far as I understand it, both code and binaries are not allowed to be exported. But IANAL, I'd be happy to hear that I've got it all wrong. Perhaps you could put some information and links on the openbsdsupport.org website. That would be a start. The actual files can be hosted somewhere else. In the meantime, I tried to set things up for building stable releases. - i386 and sparc64 do it in about a day on my rather old and slow hardware. - sparc and vax are still crunching. - I've had some problems with alpha and hppa. But as these are probably not the most popular platforms, I guess this is not critical for now. I hope to fix this soon. So I guess we need a place with good connecticity to host the files. It's less than 200 MB per architecture, but I have no idea how much traffic it'll generate. Maurice
Re: Binary kernel and base update
On Saturday, April 14, 2007 at 07:43:06 +0200, Marc Balmer wrote: >My company has to provide -stable base system and especially packages on >at least i386 for it's customers. We have a fan-out box to which >customer systems connect (the PKG_PATH points to it). This works really >nice an we can distribute security updates like e.g. ClamAV within >minutes to all machines we take care of. Up to here, I was hoping you were going to offer hosting facilities. >If there is interest in this, we could make it available as a (paid, but >reasonably priced) service. Contact me off-list if interested. But apparantly that's not the case. I don't see how this is of any help to this initiative. Maurice
Re: Binary kernel and base update
I just skimmed this whole thread and I am wondering about a couple of things. It appears that all of you are talking about basically following the instructions for release(8) and just providing the generated files for people. Is that correct? If the above is true, I can also assist with building release(8) for i386, mac68k, macppc, sparc64, and zaurus. I could also get sparc up and running as well. I am in the U.S. but I could provide hosting fairly easily. The original poster seemed to be asking more about an incremental update system. Maybe that's the wrong term but something along the lines of the name-your-favorite-linux-distribution setup. An example might be yum in CentOS (and others) or apt-get in Debian. This seems like a much more complicated option. While possible, it would take a lot of work. Any thoughts on this part? One way of doing this would be to provide a tarball that contains all of the affected files or binaries relevant to the particular fix or possibly one large tarball with every fix for -stable up to that point. This could be installed with tar or even a nice little shell script. What about this? Bryan
Re: Binary kernel and base update
Bryan Vyhmeister wrote: I just skimmed this whole thread and I am wondering about a couple of things. It appears that all of you are talking about basically following the instructions for release(8) and just providing the generated files for people. Is that correct? That is not enough. You have to make sure you packages are up-to-date as well. So you are also into bulk package building. If you want to this right, it is a lot work; that's why we don't do it in the project and that's probably also the reason why we ask money for it ;) You need machinery and a lot of time...
Re: Binary kernel and base update
On 2007/04/15 02:37, Bryan Vyhmeister wrote: > The original poster seemed to be asking more about an incremental > update system. Maybe that's the wrong term but something along the > lines of the name-your-favorite-linux-distribution setup. An example > might be yum in CentOS (and others) or apt-get in Debian. This seems > like a much more complicated option. While possible, it would take a > lot of work. Any thoughts on this part? That follows from the "base OS" being a bunch of unrelated packages as done in most Linux distributions. > One way of doing this would be to provide a tarball that contains all > of the affected files or binaries relevant to the particular fix or > possibly one large tarball with every fix for -stable up to that > point. This could be installed with tar or even a nice little shell > script. What about this? I run -current on most systems, but I would imagine that many people who made the more conservative decision to run -stable rather than -current would probably prefer not to trust third-party binaries either.
Re: Binary kernel and base update
On Apr 15, 2007, at 3:05 AM, Marc Balmer wrote: Bryan Vyhmeister wrote: I just skimmed this whole thread and I am wondering about a couple of things. It appears that all of you are talking about basically following the instructions for release(8) and just providing the generated files for people. Is that correct? That is not enough. You have to make sure you packages are up-to- date as well. So you are also into bulk package building. If you want to this right, it is a lot work; that's why we don't do it in the project and that's probably also the reason why we ask money for it ;) You need machinery and a lot of time... That's true. It would take lots of time. Packages are not updated that frequently as I recall though for -stable. It would take a lot of time to check on this regularly though. Bryan
Re: Binary kernel and base update
On Apr 15, 2007, at 3:09 AM, Stuart Henderson wrote: On 2007/04/15 02:37, Bryan Vyhmeister wrote: The original poster seemed to be asking more about an incremental update system. Maybe that's the wrong term but something along the lines of the name-your-favorite-linux-distribution setup. An example might be yum in CentOS (and others) or apt-get in Debian. This seems like a much more complicated option. While possible, it would take a lot of work. Any thoughts on this part? That follows from the "base OS" being a bunch of unrelated packages as done in most Linux distributions. That's very true and that is one big reason why I like OpenBSD so much. One way of doing this would be to provide a tarball that contains all of the affected files or binaries relevant to the particular fix or possibly one large tarball with every fix for -stable up to that point. This could be installed with tar or even a nice little shell script. What about this? I run -current on most systems, but I would imagine that many people who made the more conservative decision to run -stable rather than -current would probably prefer not to trust third-party binaries either. (As an aside, how often do you update your -current systems and do you run -current on production servers?) I realize that this is always the issue when you are dealing with non- official binaries. In a production environment, I do build my own releases and all to use internally but I also recognize that this can be a pain for some people. Certain architectures like mac68k take next to forever to finish a release. The last time I tried with 3.9, it took a week and then failed with something. As soon as 4.1 has some security errata, I am going to attempt the build again on mac68k. It isn't worth it with 4.0 now that 4.1 is right around the corner. Of course this brings up the point that in a production setting, you really would have no good reason to be using mac68k machines. Other more powerful architectures can be patched pretty easily. I guess the ideal really would be for someone to put the work into developing a good way to distribute an update tarball like I referred to above and then this work could be integrated into the base system or something. Whoever put the work into this could I suppose do the work of creating the tarballs but these "official" updates could be distributed through the usual mirrors and such. That would be nice but reality sets in. I may just start fiddling around with this concept when I have a little more time. Bryan
Re: Binary kernel and base update
On 2007/04/15 03:41, Bryan Vyhmeister wrote: > (As an aside, how often do you update your -current systems varies; main desktop/laptop and any boxes I use when I'm working on anything to do with ports, fairly often. other machines - generally when there's a fix that I want or when there's something particular to test. > and do you run -current on production servers?) sometimes. I've probably got more production routers than servers running OpenBSD, almost all of the routers run varying degrees of -current.
Re: Binary kernel and base update
On Apr 16, 2007, at 3:51 AM, Stuart Henderson wrote: On 2007/04/15 03:41, Bryan Vyhmeister wrote: (As an aside, how often do you update your -current systems varies; main desktop/laptop and any boxes I use when I'm working on anything to do with ports, fairly often. other machines - generally when there's a fix that I want or when there's something particular to test. OK. Thanks for the info. and do you run -current on production servers?) sometimes. I've probably got more production routers than servers running OpenBSD, almost all of the routers run varying degrees of -current. My DNS servers are running older versions of current that I need to update. I am always a little concerned that I am going to run into a show-stopping bug that would cause downtime for an important server such as a mail server. That's why there is -release and -stable I suppose. The biggest reason I see personally for running -current is to get access to newer ports. Bryan
Re: Binary kernel and base update
On Tuesday, April 10, 2007 at 01:43:56 +0200, [EMAIL PROTECTED] wrote: >Hi all. > >I have noticed that the OpenBSD team puts a lot of emphasis on using binary >packets rather than building from ports, which I think IMHO is good, but why >is it that there is no binary kernel updates, rather than patching the kernel >from source? Some progress was made in the last couple of days. First results are up at ftp://ftp.su.se/pub/mirrors/openbsd_stable/ I hope to add amd64, alpha and hppa in the near future. I don't have the hardware to build other architectures. If someone can help building one of the missing architectures, please let me know. Comments and suggestions are welcome. Maurice
Re: Binary kernel and base update
On Thursday, April 19, 2007 at 23:45:51 +0200, Maurice Janssen wrote: >Some progress was made in the last couple of days. First results are up >at ftp://ftp.su.se/pub/mirrors/openbsd_stable/ > >I hope to add amd64, alpha and hppa in the near future. I don't have >the hardware to build other architectures. >If someone can help building one of the missing architectures, please >let me know. > >Comments and suggestions are welcome. Judging by the number of reactions, nobody seems to be interested. I don't mind putting some time and effort into building these releases if people find them useful. But when nobody cares, then there are other things I can do in my spare time. I would appreciate some feedback. Maurice
Re: Binary kernel and base update
On 28/04/07, Maurice Janssen <[EMAIL PROTECTED]> wrote: On Thursday, April 19, 2007 at 23:45:51 +0200, Maurice Janssen wrote: >Some progress was made in the last couple of days. First results are up >at ftp://ftp.su.se/pub/mirrors/openbsd_stable/ > >I hope to add amd64, alpha and hppa in the near future. I don't have >the hardware to build other architectures. >If someone can help building one of the missing architectures, please >let me know. > >Comments and suggestions are welcome. Judging by the number of reactions, nobody seems to be interested. I don't mind putting some time and effort into building these releases if people find them useful. But when nobody cares, then there are other things I can do in my spare time. I would appreciate some feedback. I'm extremely interested in binary updates as I don't yet have the resources to put together a build server and compiling updates in qemu is very painful. Until these binaries are trusted by the OpenBSD project though (which is to say, possibly never), I can't really afford the risk of putting them on live machines. Sorry. I expect you'll receive other replies along the same lines. MC
Re: Binary kernel and base update
On Sun, 29 Apr 2007 02:35:06 +0100 "mal content" <[EMAIL PROTECTED]> wrote: > On 28/04/07, Maurice Janssen <[EMAIL PROTECTED]> wrote: > > On Thursday, April 19, 2007 at 23:45:51 +0200, Maurice Janssen wrote: > > >Some progress was made in the last couple of days. First results are up > > >at ftp://ftp.su.se/pub/mirrors/openbsd_stable/ > > > > > >I hope to add amd64, alpha and hppa in the near future. I don't have > > >the hardware to build other architectures. > > >If someone can help building one of the missing architectures, please > > >let me know. > > > > > >Comments and suggestions are welcome. > > > > Judging by the number of reactions, nobody seems to be interested. > > I don't mind putting some time and effort into building these releases > > if people find them useful. But when nobody cares, then there are other > > things I can do in my spare time. I would appreciate some feedback. > > I'm extremely interested in binary updates as I don't yet have the resources > to put together a build server and compiling updates in qemu is very painful. > > Until these binaries are trusted by the OpenBSD project though (which is > to say, possibly never), I can't really afford the risk of putting them on > live machines. Sorry. Like Mal is saying this is the problem. Someone from the devs wrote me at the beginning of this thread saying that it was a matter of resources and people. He also wrote that the devs was not commenting on this thread because, like most times, they recieve a lot of good ideas, and people talk, but nobody ever does any work, he said that people should stop talking and then just get the work done. Someone has now done the work and more are willing to contribute. > I expect you'll receive other replies along the same lines. > > MC
Re: Binary kernel and base update
Maurice Janssen skrev: On Thursday, April 19, 2007 at 23:45:51 +0200, Maurice Janssen wrote: Some progress was made in the last couple of days. First results are up at ftp://ftp.su.se/pub/mirrors/openbsd_stable/ I hope to add amd64, alpha and hppa in the near future. I don't have the hardware to build other architectures. If someone can help building one of the missing architectures, please let me know. Comments and suggestions are welcome. Judging by the number of reactions, nobody seems to be interested. I don't mind putting some time and effort into building these releases if people find them useful. But when nobody cares, then there are other things I can do in my spare time. I would appreciate some feedback. Maurice A great initiative! I have tried the i386 stable-build and it is working as expected. I will definately have use for your work, can't wait for the first patch to the 4.1 release ;) /Johan
Re: Binary kernel and base update
On 28/04/07, Maurice Janssen <[EMAIL PROTECTED]> wrote: On Thursday, April 19, 2007 at 23:45:51 +0200, Maurice Janssen wrote: >Some progress was made in the last couple of days. First results are up >at ftp://ftp.su.se/pub/mirrors/openbsd_stable/ > >I hope to add amd64, alpha and hppa in the near future. I don't have >the hardware to build other architectures. >If someone can help building one of the missing architectures, please >let me know. > >Comments and suggestions are welcome. Judging by the number of reactions, nobody seems to be interested. I don't mind putting some time and effort into building these releases if people find them useful. But when nobody cares, then there are other things I can do in my spare time. I would appreciate some feedback. The initiative is very interesting, it would be nice if it was sanctioned by the official team. My problem with it is that the only OpenBSD boxes I'm running are my own systems, on which I'm running -current. But if you have several boxes in production running -stable a source of updates for them is a very interesting resource. Maurice -- viq
Re: Binary kernel and base update
trust On a related note, what is the OpenBSD project's criteria for "trust" in matters such as this? MC
Re: Binary kernel and base update
"mal content" <[EMAIL PROTECTED]> writes: > > trust > > On a related note, what is the OpenBSD project's criteria for "trust" > in matters such as this? Simple, I trust the people I drink beer with. //art
Re: Binary kernel and base update
On Sunday, April 29, 2007 at 09:06:28 +0200, Johan Linner wrote: >A great initiative! >I have tried the i386 stable-build and it is working as expected. >I will definately have use for your work, can't wait for the first patch >to the 4.1 release ;) Thanks for the feedback. Nice to know that at least somebody is using the file sets. The i386 build for 4.1 is done and will appear at ftp.su.se tomorrow. Other architectures will follow soon. Maurice
Re: Binary kernel and base update
On Sunday, April 29, 2007 at 02:35:06 +0100, mal content wrote: >I'm extremely interested in binary updates as I don't yet have the resources >to put together a build server and compiling updates in qemu is very >painful. > >Until these binaries are trusted by the OpenBSD project though (which is >to say, possibly never), I can't really afford the risk of putting them on >live machines. Sorry. > >I expect you'll receive other replies along the same lines. Yep, I also received some email off the list with the same reason. Which I can fully understand, of course. Perhaps this will evolve into something that's an official part of OpenBSD. I'm not sure how, but we'll see how it goes from here. Maurice
Re: Binary kernel and base update
On Mon, Apr 30, 2007 at 04:21:34PM +0200, Maurice Janssen wrote: > On Sunday, April 29, 2007 at 02:35:06 +0100, mal content wrote: > >I'm extremely interested in binary updates as I don't yet have the resources > >to put together a build server and compiling updates in qemu is very > >painful. > > > >Until these binaries are trusted by the OpenBSD project though (which is > >to say, possibly never), I can't really afford the risk of putting them on > >live machines. Sorry. > > > >I expect you'll receive other replies along the same lines. > > Yep, I also received some email off the list with the same reason. > Which I can fully understand, of course. > > Perhaps this will evolve into something that's an official part of > OpenBSD. I'm not sure how, but we'll see how it goes from here. This is just an idea, and might well be completely retarded/wrong, but: Unless I am mistaken, the reason that compiling the same binary twice yields different results is that gcc adds some randomness (barring special circumstance like including date, time, host and version in the kernel, and so on). If one were to extend gcc to accept random data from a file as well as the usual sources (/dev/arandom and such, I suppose), would this not make sure that, given the original random data, one always gets the same binaries? And, by extension, the same tar.gz? (Although I'm beginning to think that the latter would most likely not work without some additional trickery - *something* is bound to have the compilation time or host in there. For the same reason, it wouldn't work with kernels, but compiling a kernel is much faster than compiling everything, and hacking the kernel build script to include whatever one wants can't be that difficult, anyway.) If this idea is correct, and I am correct in thinking that I could hack this into gcc, the project would only have to provide the random data (I don't think the exact data matters, as long as everyone uses the same and it's actually somewhat random, but a known-good source can't hurt). In the absence of a nicer way to validate releases, which will doubtlessly be provided soon, simply posting an appropriate checksum (SHA1 or SHA256) to misc@ would suffice. Do note the disclaimer at the top, though... Joachim -- TFMotD: afterboot (8) - things to check after the first complete boot
Re: Binary kernel and base update
In article <[EMAIL PROTECTED]>, Artur Grabowski wrote: > > Simple, I trust the people I drink beer with. Do they have to be drinking beer too? :) -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: Binary kernel and base update
On Tuesday, May 1, 2007 at 00:04:06 +0200, Joachim Schipper wrote: >This is just an idea, and might well be completely retarded/wrong, but: > >Unless I am mistaken, the reason that compiling the same binary twice >yields different results is that gcc adds some randomness (barring >special circumstance like including date, time, host and version in the >kernel, and so on). > >If one were to extend gcc to accept random data from a file as well as >the usual sources (/dev/arandom and such, I suppose), would this not >make sure that, given the original random data, one always gets the same >binaries? Perhaps, but what's the benefit? After applying a patch, I don't want to have the same binaries, but new and different binaries. Maurice
Re: Binary kernel and base update
On Tue, May 01, 2007 at 10:36:08PM +0200, Maurice Janssen wrote: > On Tuesday, May 1, 2007 at 00:04:06 +0200, Joachim Schipper wrote: > >This is just an idea, and might well be completely retarded/wrong, but: > > > >Unless I am mistaken, the reason that compiling the same binary twice > >yields different results is that gcc adds some randomness (barring > >special circumstance like including date, time, host and version in the > >kernel, and so on). > > > >If one were to extend gcc to accept random data from a file as well as > >the usual sources (/dev/arandom and such, I suppose), would this not > >make sure that, given the original random data, one always gets the same > >binaries? > > Perhaps, but what's the benefit? After applying a patch, I don't want > to have the same binaries, but new and different binaries. I'm not certain that's as much of a problem as you appear to think, but the idea is, in fact, retarded, as someone pointed out to me in a (very polite!) off-list message. (gcc doesn't insert randomness; on the other hand, tools like ar(1) (for static libraries) and tar(1) include timestamps. Actually checking before posting random crap might be a good idea. Shame on me! Sorry for the noise, everyone...) Joachim -- PotD: x11/wmtz - wm-dockapp; displays the time in different time zones
