Bug 209147

Summary: freebsd-update not working in 10.3-RELEASE
Product: Base System Reporter: Alexander <sa.inbox>
Component: binAssignee: freebsd-bugs mailing list <bugs>
Status: Closed FIXED    
Severity: Affects Many People CC: adamw, allan, amd64, cweimann, dch, donnex, douglaswth, eric, fcondo, fred, freebsd, gkontos, ish, junovitch, kaltheat, lewismj, lifanov, lukasz, me, michael.kroes, ncrogers, nick, pi, pierre, rkoberman, wolfgang
Priority: ---    
Version: 10.3-RELEASE   
Hardware: amd64   
OS: Any   

Description Alexander 2016-04-29 09:58:28 UTC
freebsd-update not working in FreeBSD 10.3-RELEASE. 

FreeBSD-SA-16:16.ntp installation failed on clean 10.3 release installation and on 10.3 after 10.2-->10.3 upgrade. Issue also reported by many people on furums. 

# freebsd-update fetch install
Looking up update.FreeBSD.org mirrors... 4 mirrors found.
Fetching metadata signature for 10.3-RELEASE from update5.freebsd.org... done.
Fetching metadata index... done.

The update metadata is correctly signed, but
failed an integrity check.
Cowardly refusing to proceed any further.
Comment 1 Nick Hibma 2016-04-29 10:25:03 UTC
Same here.

Problem lies in the sanity check files it seems:

# P="[-+./:=,%@_[~[:alnum:]]"
# M="[0-9]+\|[0-9]+\|[0-9]+\|[0-9]+"
# H="[0-9a-f]{64}"
# grep -E '^d' /var/db/freebsd-update/sanitycheck.tmp | grep -vE "^d\|${M}\|\|\$"
d|0|0|0755|0|c093e4bf4a89d44d5259b6f6b288f1d50e5eed303b3ef0aef616c613e9a693fe|

Somehow there is a SHA checksum in the file that should not be there.

# gunzip < /var/db/freebsd-update/files/9cf1e357208f9af6874aafbf98c4092d71d1d4f827e249c8ae61284accfd0809.gz | grep c093e4bf4a89d44d5259b6f6b288f1d50e5eed303b3ef0aef616c613e9a693fe
src|src|/|d|0|0|0755|0|c093e4bf4a89d44d5259b6f6b288f1d50e5eed303b3ef0aef616c613e9a693fe|


Guess: Mayhaps this has become a link on the update-diff build host and handling of that is not correct yet?
Comment 2 Michael Lewis 2016-05-02 14:34:21 UTC
I think the initial fix may have solved one issue, but now there is an issue with version(s) that is affecting people. After the installing the patch, I verified that I was on 10.3 p1 :

root@www:~ # freebsd-version
10.3-RELEASE-p1

However, when I re-run fetch:

"
freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 4 mirrors found.
Fetching metadata signature for 10.3-RELEASE from update5.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 10.3-RELEASE-p0."

It is indicating 10.3 p0 

See the later comments on this thread, https://forums.freebsd.org/threads/56060/
Slightly more serious issue for people that have built their own kernels.
Comment 3 Jason Unovitch freebsd_committer 2016-05-03 13:37:17 UTC
(In reply to Nick Hibma from comment #1)
There was an issue in the metadata.  See https://lists.FreeBSD.org/pipermail/freebsd-security/2016-May/008923.html.
Comment 4 Jason Unovitch freebsd_committer 2016-05-03 13:38:35 UTC
(In reply to Michael Lewis from comment #2)
10.3-RELEASE-p1 wasn't a kernel update so that is expected.
Comment 5 Masachika ISHIZUKA 2016-05-04 23:57:07 UTC
(In reply to Jason Unovitch from comment #4)
I don't think so.
freebsd-update can be updated both kernel and userland.

I want to update 10.3-RELEASE-p2 from 10.3-RELEASE-p1, but cannot update by freebsd-update.

# freebsd-version -ku
10.3-RELEASE
10.3-RELEASE-p1
# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 4 mirrors found.
Fetching metadata signature for 10.3-RELEASE from update6.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.
No updates needed to update system to 10.3-RELEASE-p0.
Comment 6 Adam Weinberger freebsd_committer 2016-05-05 01:26:58 UTC
(In reply to Masachika ISHIZUKA from comment #5)

Jason, Masachika is correct. The update servers are serving p2 for i386, but have been stuck at p0 ever since 10.3-RELEASE.

You can verify this with

    for arch in i386 amd64; do \
    URLBASE="http://update.freebsd.org/10.3-RELEASE/$arch"; \
    fetch -qo- $URLBASE/latest.ssl \
        | openssl rsautl -pubin -inkey \
            =( fetch -qo- $URLBASE/pub.ssl ) -verify; \
    done

freebsd-update|i386|10.3-RELEASE|2|9292852427c7151fbe106b93c4e67be5fcfafc009c4e17ca0cbfca037c8a6b97|1525132800

freebsd-update|amd64|10.3-RELEASE|0|8797efb5915e47a0a9bbcd69e1389d010a8041f8f1ca2c0dcfc0c4e4eca3fa8c|1525132800

So, for whatever reason, the i386 updates are being built and published, but the amd64 updates haven't been yet.
Comment 7 Alexander 2016-05-05 06:23:19 UTC
recent updates released on 2016-05-04 are not available for 10.3-RELEASE amd64

# freebsd-version -ku
10.3-RELEASE
10.3-RELEASE-p1
# freebsd-update fetch install
Looking up update.FreeBSD.org mirrors... 4 mirrors found.
Fetching metadata signature for 10.3-RELEASE from update6.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 10.3-RELEASE-p0.
No updates are available to install.
Run '/usr/sbin/freebsd-update fetch' first.
Comment 8 Wolfgang Petzold 2016-05-05 10:25:58 UTC
Apart from the headline, this seems not only to affect 10.3.

With the recent SA 16:17-openssl announcing 10.3-RELEASE-p16, I am experiencing this:

# freebsd-version -ku
10.2-RELEASE-p14
10.2-RELEASE-p15
# freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 4 mirrors found.
Fetching metadata signature for 10.2-RELEASE from update5.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 10.2-RELEASE-p15.
Comment 9 ncrogers 2016-05-05 14:04:39 UTC
Might be unrelated, but similar to 10.2 and 10.3, there appears to be no 10.1-RELEASE-p33 on the update servers.
Comment 10 gkontos 2016-05-05 16:59:22 UTC
root@mx001:~ # freebsd-version 
10.3-RELEASE-p1

root@mx001:~ # freebsd-update fetch
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 4 mirrors found.
Fetching metadata signature for 10.3-RELEASE from update4.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 10.3-RELEASE-p0.
Comment 11 Adam Weinberger freebsd_committer 2016-05-05 20:35:17 UTC
(In reply to gkontos from comment #10)

Yes. Folks, you can stop pasting in your error message, everyone gets the same error.

See https://docs.freebsd.org/cgi/getmsg.cgi?fetch=45930+0+current/freebsd-security for confirmation.

There is clearly a problem with amd64 updates not being built. The solution will come from a combination of the security team and the server admin team. I guarantee you both teams are aware of the problem.
Comment 12 Chris Hutchinson 2016-05-05 22:01:16 UTC
(In reply to Adam Weinberger from comment #11)
> (In reply to gkontos from comment #10)
> 
> Yes. Folks, you can stop pasting in your error message, everyone gets the
> same error.
> 
> See
> https://docs.freebsd.org/cgi/getmsg.cgi?fetch=45930+0+current/freebsd-
> security for confirmation.
> 
> There is clearly a problem with amd64 updates not being built. The solution
> will come from a combination of the security team and the server admin team.
> I guarantee you both teams are aware of the problem.

Yet those in the know, felt they couldn't afford to squander the 120 seconds
required to inform the FreeBSD Community -- those whom use, and depend on
FreeBSD. About their concerns -- especially in light of the recent SA?

It's been better than 2 days, after all. :(
Comment 13 Adam Weinberger freebsd_committer 2016-05-05 22:12:44 UTC
(In reply to Chris Hutchinson from comment #12)

When it relates to a security issue (all updates to a -RELEASE branch are under the control of the SO), there's no external statement until they're ready to make one.

I wish I had a better answer, Chris, but I'm waiting for those binary updates same as you are.
Comment 14 Adam Weinberger freebsd_committer 2016-05-05 23:15:38 UTC
https://docs.freebsd.org/cgi/getmsg.cgi?fetch=79566+0+current/freebsd-security

The updates are on the server now. Closing this PR.