The (good) deal with freebsd-update(8)

Earlier today, I stumbled across a blog post by Radu Cristian Fotescu entitled The (bad) deal with freebsd-update(8), which (as the title suggests) casts FreeBSD Update in a rather unfavourable light. Since the author is misinformed about several details, I'm taking this opportunity to set the record straight.

First, the author points out that there is an older version of FreeBSD Update available in the ports tree, which he states "can only fetch updates for FreeBSD 6.1". In fact, the version in the ports tree works for releases dating back to FreeBSD 4.7 (although it obviously doesn't provide binary updates to fix bugs which were uncovered after a release ceased to be supported by the FreeBSD Security Team). The only releases which the version of FreeBSD Update in the ports tree does not support are FreeBSD 6.2 and up -- versions of FreeBSD which contain a new (and vastly improved) version of FreeBSD Update in the base system. Once FreeBSD Update is in all supported FreeBSD releases (i.e., in June) I'll remove the old FreeBSD Update code from the ports tree.

Next, the author questions the logic of having "64-byte keys" (actually, 64 hexadecimal digit keys) as file names, and suggests that this makes FreeBSD Update overly complex. Nothing could be further from the truth: In fact, as I described in my BSDCan'07 talk, the "Reference by [SHA256] hash" method makes both FreeBSD Update and Portsnap far simpler than they would otherwise be.

The author then moves on to speaking of "a patch applied to a given release and patch level", thereby demonstrating a fundamental misunderstanding of how FreeBSD Update works. In the author's mind (apparently), to update a system from FreeBSD 6.2-RELEASE-p9 to FreeBSD 6.2-RELEASE-p10, FreeBSD Update downloads a (single) patch and applies it. Not so; rather, FreeBSD Update fetches a file which tells it what FreeBSD 6.2-RELEASE-p10 looks like. FreeBSD Update then makes the system look like that: It can leave files alone if they are already up to date (or if the user has asked it to leave those files alone); or it can download or generate the new versions of files. Put another way, in most patching systems, the server will answer the question "how do I get there from here?" -- with FreeBSD Update, the server merely answers the question "where should I be going?" and leaves it up to the FreeBSD Update client to figure out how to get there.

Related to this error is another mistake which immediately follows: The author asserts that the "full new binaries" are not available. In fact, for every file which appears in a (recent) FreeBSD release, or in a FreeBSD release plus patches, is available via the FreeBSD Update server. (I was concerned that I might be technically violating the GPL on some files by this fact, until I remembered that the FreeBSD source code is also distributed via FreeBSD Update.) FreeBSD Update uses patches in exactly the same way as Portsnap: As I described in my BSDCan'07 talk (linked above), FreeBSD Update and Portsnap rely on "opportunistic patching" -- they start out by attempting to fetch patches and apply them, but if anything goes wrong (the patch isn't available, the file generated by patching has the wrong SHA256 hash, et cetera), they gracefully fall back to fetching the complete file.

Next, the author points out that the list of binary patches used for updating to FreeBSD 6.3 is publicly visible. Oops -- this is fixed now. I don't have any desire to keep this list of file names secret, but there are two very good practical reasons for turning off the directory indexing: First, Apache processes chew up lots of RAM when generating large directory listings; and second, I was having problems with robots ignoring my "don't crawl here" directives in robots.txt and loading down my server with large numbers of pointless requests.

Moving on, the author points to the approach of RedHat, Debian, and Mandriva, of distributing entirely new package tarballs, as a model to be emulated. I don't know how fast the author's internet connection is, but I know one of the most frequent comments I hear about FreeBSD Update is how incredibly fast it is. This is what binary patches do for you -- provide a fifty-fold reduction in the bandwidth needed to download security updates. The tool I wrote for this purpose -- bsdiff -- is now used by Apple, FireFox, Sophos, and probably Amazon's Kindle (in this last case, I haven't heard from any developers, but they have bsdiff code on the device, so presumably they're using it) in addition to FreeBSD, and in the summer of 2006 I calculated that it had saved users upwards of 100 person-years of waiting for updates to download. Returning to downloading complete tarballs every time a small change is made might be simple, but it wouldn't be very popular with many people who have to wait for said tarballs to download!

Finally, the author complains that he can't find the FreeBSD Update server code. As a comment to the blog entry points out, the server code is in the FreeBSD projects repository.

Posted at 2008-02-28 08:50 | Permanent link | Comments
blog comments powered by Disqus

Recent posts

Generalist AI doesn't scale
Please test: FreeBSD 13.3-RC1
An APPR claim with Air Canada
A Canadian payroll dependency chart
Some late-breaking FreeBSD 14 breakage
Tarsnap has given 2^18 dollars to open source
Announcing the FreeBSD/Firecracker platform
FreeBSD on the Graviton 3
FreeBSD/EC2: What I've been up to
FreeBSD/EC2 AMI Systems Manager Public Parameters

Monthly Archives

April 2024
February 2024
January 2024
December 2023
November 2023
October 2023
October 2022
May 2022
March 2022
August 2021
June 2021
March 2021
September 2020
May 2020
January 2020
November 2019
October 2019
February 2019
December 2018
July 2018
April 2018
February 2018
January 2018
November 2017
October 2017
June 2017
May 2017
February 2017
January 2017
October 2016
April 2016
January 2016
December 2015
November 2015
September 2015
August 2015
April 2015
January 2015
December 2014
November 2014
October 2014
September 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
September 2013
August 2013
June 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
May 2012
March 2012
January 2012
December 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
October 2010
September 2010
August 2010
July 2010
June 2010
April 2010
March 2010
December 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
June 2007
May 2007
March 2007
February 2007
January 2007
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
January 2006
December 2005
November 2005
October 2005
September 2005

Yearly Archives

2024
2023
2022
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
2007
2006
2005

RSS