FreeBSD users are accustomed to being able to download the entire operating system source code with the ability to compile additional functionality into the kernel and applications. This service had been previously provided by the cvsup and csup programs. Due to the compromise of two FreeBSD cluster servers, the project moved forward with its intention to replace cvsup and csup. This includes the move to subversion.
The compromise of the FreeBSD servers led to a complete analysis on how developers and users access the software. The issue was caused by an exposed SSH key from a developer that allowed access to one of the legacy build servers (See FreeBSD Compromise of 2012 for reference). The FreeBSD team had to essentially rebuild the binary packages for the FreeBSD 9.1 release because although nothing seemed to have been changed, no backups existed to verify their integrity. With this rebuild, the FreeBSD team moved towards implementing their new process for maintaining source code. At this point in time, the use of csup/cvsup is no longer supported.
This article covers the new way to keep up-to-date with the FreeBSD source code. The first thing that needs to be completed is an install of FreeBSD 9.2 (amd64) which was just released (See FREEBSD-INSTALL for installation instructions). Make sure there is at least 6 GB of space available on the hard drive to provide enough space for the system source. This how-to assumes that the system source has not been installed with bsdinstall. The first step is to install subversion. At the time of this writing, the new package management tool pkgng is available, but the older pkg tools will be used to install subversion. Listing 1 shows how to install the package for subversion.
Users of cvsup and csup will remember how some configuration was required to pull in the appropriate pieces of code down from various mirrors for a specific release of FreeBSD (examples include src-all, ports-all, etc.). With subversion, the code can be checked out from a URL and then maintained by way of the application. subversion allows for additional protocols to be used to check out source code (svn, http, https, rsync). There are currently three mirrors serving up content that provide some redundancy for getting access to code. As time goes on, there should be a large number of mirrors available to use. To maintain the source code, the svn update command can simply be run from the path of the system source. Listing 2 shows the initial checkout of the system source code using subversion, and an example of updating the stable branch to the latest revision using svn update.
With the system source checked out, the building of the base system and kernel is the same as only the software for revision control has been changed. The Makefile in the /usr/src directory lists the same steps for building the base system and kernel. The example in Listing 2 shows checking out of source code from the stable branch but a specific release can also be checked out. Checking out from base/stable/9 will download the latest stable code for the 9.x series of FreeBSD, which is currently 9.2. To only follow the 9.1 branch, the following URL may be used: https://svn0.us-east.freebsd.org/base/releng/9.1/.
Most FreeBSD users are familiar with the use of portsnap to update the ports tree. subversion can also be used to keep the ports tree and other branches (such as doc) up-to-date with the latest data. The update steps are the same for the ports tree using subversion. Additional port management tools such as portaudit and portmaster assist with the rebuilding of ports once updated code exists in the tree. Listing 3 shows the similar procedure for checking out the ports tree with subversion, and an example of updating the tree to the latest revision using svn update.
All of the recommendations in this article are for individuals who wish to build the system or kernel from source. Keeping up-to-date is better done by way of freebsdupdate for patches to the base OS and portsnap for updating the ports tree. subversion is just the standard going forward for providing system source to users and developers. The change is subtle and does not add too much overhead to maintaining system source on a FreeBSD server. Though not covered in this article, there are various ways to use the popular developer tool git to pull down a clone of the source code, but this is left as an exercise for the reader. These procedures will also work for the upcoming release of FreeBSD 10 which should be released in the first part of 2014.
About the Author
Michael Shirk is a BSD zealot who has worked with OpenBSD and FreeBSD for over 7 years. He works in the security community and supports Open Source security products that run on BSD operating systems. Michael is the Chief Executive Manager of Daemon Security Inc., a company which provides security solutions utilizing the BSD operating systems: http://www.daemon-security.com.
This article was re-published with the permission of BSD Magazine. To Learn More about iXsystem’s commitment to open source check us out here: https://www.ixsystems.com/about-ix/
