BSDSec

deadsimple BSD Security Advisories and Announcements

Updates regarding FreeBSD.org svn mirrors

22 July, 2015 by peter@wemm.org | freebsd 

There have been some updates to the project-operated svn mirrors.  The current 
status is here:
  https://www.freebsd.org/doc/handbook/svn.html

The changes should improve robustness and security and are not intended to be 
disruptive.

Of note:
* "svn.freebsd.org" is now geo-dns routed to a mirror, with failover.
* "svn.freebsd.org" is now the recommended location for general use.
* https://svn.freebsd.org now has a real certificate and use of https is 
encouraged.
* The old mirror names are deprecated and no longer documented but are 
expected to continue to be usable for the foreseeable future.

For future checkouts, you should use svn.freebsd.org rather than the 
deprecated mirror names.

Before using the https method, you should ensure that you have the 
'security/ca_root_nss' package installed, for example:
# pkg install ca_root_nss

Existing svn checkouts may be adjusted to use the new configuration by using 
the 'svn relocate' command.  This command is used to change the repository 
root prefix that you can see in the output of 'svn info'.  Instructions on the 
use of svn commands are beyond the scope of this announcement, but there is 
documentation available online at the time of writing:

http://svnbook.red-bean.com/en/1.8/svn.ref.svn.c.relocate.html
http://svnbook.red-bean.com/en/1.7/svn.ref.svn.c.relocate.html

As a brief example, if you had a checkout from
  svn://svn0.eu.freebsd.org/base/head/sys
you could use the following command to use the new infrastructure:
  $ svn relocate svn://svn0.eu https://svn
After this command completes, the root would be:
  https://svn.freebsd.org/base/head/sys
Note that the 'ca_root_nss' package should be installed before doing this.

Changing the svn root in git-svn is a non-trivial operation and should only be 
attempted by people familiar with the intricacies of git-svn.

In summary:
* You should not *need* to change anything.
* You should stop using the old mirror names for new checkouts.
* You may update existing checkouts if convenient/desired.
* If in doubt, leave your checkouts alone.  They will work as before.