From owner-freebsd-security@FreeBSD.ORG Fri Apr 11 21:55:07 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 57B8A5D6 for ; Fri, 11 Apr 2014 21:55:07 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 22C871309 for ; Fri, 11 Apr 2014 21:55:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3BLt67x035926 for ; Fri, 11 Apr 2014 21:55:06 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3BLt6gA035925 for freebsd-security@freebsd.org; Fri, 11 Apr 2014 21:55:06 GMT (envelope-from bdrewery) Received: (qmail 6771 invoked from network); 11 Apr 2014 16:55:04 -0500 Received: from unknown (HELO roundcube.xk42.net) (10.10.5.5) by sweb.xzibition.com with SMTP; 11 Apr 2014 16:55:04 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Fri, 11 Apr 2014 16:55:04 -0500 From: Bryan Drewery To: David.I.Noel@gmail.com Subject: Re: Retiring portsnap [was MITM attacks against portsnap and freebsd-update] Organization: FreeBSD In-Reply-To: References: <53472B7F.5090001@FreeBSD.org> <53483074.1050100@delphij.net> Message-ID: <9a96e11b0edf412d0a3f79afdbecc4fd@shatow.net> X-Sender: bdrewery@FreeBSD.org User-Agent: Roundcube Webmail/0.9.5 X-Mailman-Approved-At: Fri, 11 Apr 2014 22:03:47 +0000 Cc: freebsd-security@freebsd.org, d@delphij.net, secteam , security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2014 21:55:07 -0000 On 2014-04-11 15:23, David Noel wrote: >>> If you look at the portsnap build code you'll see that the first >>> thing portsnap does is pull the ports tree from Subversion. It uses >>> the URL svn://svn.freebsd.org/ports. By not using ssl or svn+ssh >>> the entire ports archive is exposed to corruption right from the >>> start. >> >> Just to clarify -- this is not entirely true. I have double checked >> and confirmed that the snapshot builder of portsnap at FreeBSD.org >> uses svn over spiped transport. >> >> The configuration on svn do not necessarily reflect what's running in >> production (however you brought a very good point that it's a good >> idea to bring them public assuming there is no sensitive information >> in them so anyone can review them). > > Thanks for checking on that. I don't have production access so I could > only assume that what was in /user/cperciva/portsnap-build was what we > were running. I'm surprised to find out that it's not. > > My main point was that if you don't trust Subversion it makes no sense > to say you trust portsnap. Portsnap pulls the ports tree from > Subversion. Using Subversion! The portsnap system relies on the trust > of both svnadmin and svn. Just as it does when you run svn co and svn > up. If you say you don't trust Subversion, essentially what you're > saying is that you don't trust anything running on your computer. > >> you brought a very good point that it's a good >> idea to bring them public assuming there is no sensitive information >> in them so anyone can review them). > > Thank you. I hope something comes of this conversation. I have no > access to production so for these sorts of things all I can do is mail > this list and hope that someone makes the requested changes. Who said we don't trust subversion? I certainly was not meaning that. -- Regards, Bryan Drewery