From owner-freebsd-security@FreeBSD.ORG Sat Nov 17 23:05:55 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 32B78643 for ; Sat, 17 Nov 2012 23:05:55 +0000 (UTC) (envelope-from trevor@jpj.net) Received: from blues.jpj.net (rrcs-24-105-167-14.nys.biz.rr.com [24.105.167.14]) by mx1.freebsd.org (Postfix) with ESMTP id AB8118FC08 for ; Sat, 17 Nov 2012 23:05:54 +0000 (UTC) Received: from blues.jpj.net (localhost [127.0.0.1]) by blues.jpj.net (8.14.5/8.14.5) with ESMTP id qAHN5mKk048484 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for ; Sat, 17 Nov 2012 18:05:48 -0500 (EST) (envelope-from trevor@jpj.net) Received: from localhost (trevor@localhost) by blues.jpj.net (8.14.5/8.12.3/Submit) with ESMTP id qAHN5mum048481 for ; Sat, 17 Nov 2012 18:05:48 -0500 (EST) X-Authentication-Warning: blues.jpj.net: trevor owned process doing -bs Date: Sat, 17 Nov 2012 18:05:48 -0500 (EST) From: Trevor Johnson X-X-Sender: trevor@blues To: freebsd-security@freebsd.org Subject: Re: Recent security announcement and csup/cvsup? In-Reply-To: Message-ID: References: <20121117150556.GE24320@in-addr.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Scanned-By: MIMEDefang 2.73 on 24.105.167.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (blues.jpj.net [127.0.0.1]); Sat, 17 Nov 2012 18:05:53 -0500 (EST) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Nov 2012 23:05:55 -0000 Chris Rees wrote: > On 17 Nov 2012 15:06, "Gary Palmer" wrote: >> >> Hi, >> >> Can someone explain why the cvsup/csup infrastructure is considered > insecure >> if the person had access to the *package* building cluster? Is it because >> the leaked key also had access to something in the chain that goes to > cvsup, >> or is it because the project is not auditing the cvsup system and so the >> default assumption is that it cannot be trusted to not be compromised? >> >> If it is the latter, someone from the community could check rather than >> encourage everyone who has been using csup/cvsup to wipe and reinstall >> their boxes. Unfortunately the wipe option is not possible for me right >> now and my backups do go back to before the 19th of September > > Checks are being made, but CVS makes it slow work. It sounds as though someone is reading all the RCS files. Is that what's happening? As I understand it, the doc, ports and src CVS repositories are now being generated from Subversion. According to the Web page about the breach, the Subversion repos are known to be intact. If known-good CVS trees from the time of the switchover to Subversion are available, couldn't updated CVS repos be made by running svn_cvsinject as described at http://sam.zoy.org/writings/programming/svn2cvs.html ? It says: If your CVS repository ever gets corrupted, you can reinject every SVN commit by restoring your backuped CVS tree and calling svn_cvsinject again for every revision since you used cvs2svn. It seems that this would be far less error-prone, and far less labor-intensive, than eyeballing everything. Is the plan to eventually shut down the anoncvs and CVsup services entirely? If so, shall the Gnats database be made available to the public through other means besides the query-pr CGI? I ask this after looking at http://www.freebsd.org/doc/en/articles/committers-guide/article.html#gnats . -- Trevor Johnson