From owner-freebsd-security@FreeBSD.ORG Fri Apr 11 20:23:04 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6E6C2B5D; Fri, 11 Apr 2014 20:23:04 +0000 (UTC) Received: from mail-we0-x230.google.com (mail-we0-x230.google.com [IPv6:2a00:1450:400c:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8B429192E; Fri, 11 Apr 2014 20:23:03 +0000 (UTC) Received: by mail-we0-f176.google.com with SMTP id x48so5919614wes.35 for ; Fri, 11 Apr 2014 13:23:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=8ThZ68aG/tXTDSjR/cm9Wotmx2NAczAr7FTy5xcMGag=; b=smGu7gDD5/OOwSMeGvG3M3QFyDd9bPvNDi6c1D+ODEs+Tm2OO/QuzpSkjr7ypDLCcy f8C60YSni2N+fiV3+5ue83yRpCAt5JQUlrNUb6VNWPJrKHyeZhyS/mR0aOjjSY3D43Ts mJ2a+/x2QXiYO8R6JY9VLexYBqV6+LnZUxcxciyid4fW5iCXzUyfQQsHOQ8u+tb/BBos W7fiEE8PBbaQs3ba7dPnaoPNTwR/QL+3q6dJOQvRhlGYYcMYaLrJAbg3KtB3+cEnoolL oBdXeXB7nzE0stpfAuEmCMl/1/Q+5R3ofoGMafXT1he8FLBfwHUHJsxcoFskapNDAoD7 zHWQ== MIME-Version: 1.0 X-Received: by 10.194.94.39 with SMTP id cz7mr175447wjb.78.1397247781777; Fri, 11 Apr 2014 13:23:01 -0700 (PDT) Received: by 10.217.55.138 with HTTP; Fri, 11 Apr 2014 13:23:01 -0700 (PDT) In-Reply-To: <53483074.1050100@delphij.net> References: <53472B7F.5090001@FreeBSD.org> <53483074.1050100@delphij.net> Date: Fri, 11 Apr 2014 15:23:01 -0500 Message-ID: Subject: Re: Retiring portsnap [was MITM attacks against portsnap and freebsd-update] From: David Noel To: d@delphij.net Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org, security@freebsd.org, secteam , Bryan Drewery X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: David.I.Noel@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2014 20:23:04 -0000 >> If you look at the portsnap build code you'll see that the first >> thing portsnap does is pull the ports tree from Subversion. It uses >> the URL svn://svn.freebsd.org/ports. By not using ssl or svn+ssh >> the entire ports archive is exposed to corruption right from the >> start. > > Just to clarify -- this is not entirely true. I have double checked > and confirmed that the snapshot builder of portsnap at FreeBSD.org > uses svn over spiped transport. > > The configuration on svn do not necessarily reflect what's running in > production (however you brought a very good point that it's a good > idea to bring them public assuming there is no sensitive information > in them so anyone can review them). Thanks for checking on that. I don't have production access so I could only assume that what was in /user/cperciva/portsnap-build was what we were running. I'm surprised to find out that it's not. My main point was that if you don't trust Subversion it makes no sense to say you trust portsnap. Portsnap pulls the ports tree from Subversion. Using Subversion! The portsnap system relies on the trust of both svnadmin and svn. Just as it does when you run svn co and svn up. If you say you don't trust Subversion, essentially what you're saying is that you don't trust anything running on your computer. > you brought a very good point that it's a good > idea to bring them public assuming there is no sensitive information > in them so anyone can review them). Thank you. I hope something comes of this conversation. I have no access to production so for these sorts of things all I can do is mail this list and hope that someone makes the requested changes.