Date: Fri, 11 Apr 2014 15:23:01 -0500 From: David Noel <david.i.noel@gmail.com> To: d@delphij.net Cc: freebsd-security@freebsd.org, security@freebsd.org, secteam <secteam@freebsd.org>, Bryan Drewery <bdrewery@freebsd.org> Subject: Re: Retiring portsnap [was MITM attacks against portsnap and freebsd-update] Message-ID: <CAHAXwYDhxmEwxtBLyZF1R1F8XENsq4FbpzVy89BN8f%2BRYU74KA@mail.gmail.com> In-Reply-To: <53483074.1050100@delphij.net> References: <CAHAXwYCGkP-o0VvMXj5S8-KNA45aTvy%2BsrjDL_=8-x9Dza5z5Q@mail.gmail.com> <53472B7F.5090001@FreeBSD.org> <CAHAXwYDdxbRimwjvPf%2B5odYUUN4u4rNzdEkEmWwZN97mi1riEg@mail.gmail.com> <53483074.1050100@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>> If you look at the portsnap build code you'll see that the first >> thing portsnap does is pull the ports tree from Subversion. It uses >> the URL svn://svn.freebsd.org/ports. By not using ssl or svn+ssh >> the entire ports archive is exposed to corruption right from the >> start. > > Just to clarify -- this is not entirely true. I have double checked > and confirmed that the snapshot builder of portsnap at FreeBSD.org > uses svn over spiped transport. > > The configuration on svn do not necessarily reflect what's running in > production (however you brought a very good point that it's a good > idea to bring them public assuming there is no sensitive information > in them so anyone can review them). Thanks for checking on that. I don't have production access so I could only assume that what was in /user/cperciva/portsnap-build was what we were running. I'm surprised to find out that it's not. My main point was that if you don't trust Subversion it makes no sense to say you trust portsnap. Portsnap pulls the ports tree from Subversion. Using Subversion! The portsnap system relies on the trust of both svnadmin and svn. Just as it does when you run svn co and svn up. If you say you don't trust Subversion, essentially what you're saying is that you don't trust anything running on your computer. > you brought a very good point that it's a good > idea to bring them public assuming there is no sensitive information > in them so anyone can review them). Thank you. I hope something comes of this conversation. I have no access to production so for these sorts of things all I can do is mail this list and hope that someone makes the requested changes.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHAXwYDhxmEwxtBLyZF1R1F8XENsq4FbpzVy89BN8f%2BRYU74KA>