Date: Sun, 13 Apr 2014 16:07:09 -0500 From: David Noel <david.i.noel@gmail.com> To: Lowell Gilbert <freebsd-security-local@be-well.ilk.org> Cc: freebsd-security@freebsd.org, security@freebsd.org Subject: Re: Retiring portsnap [was MITM attacks against portsnap and freebsd-update] Message-ID: <CAHAXwYBDWEUH2yDR59Aurbsrjn4W0JAH87Qk7Oumncwagu45Bg@mail.gmail.com> In-Reply-To: <44bnw5uwmm.fsf@lowell-desk.lan> References: <CAHAXwYCGkP-o0VvMXj5S8-KNA45aTvy%2BsrjDL_=8-x9Dza5z5Q@mail.gmail.com> <53472B7F.5090001@FreeBSD.org> <CAHAXwYDdxbRimwjvPf%2B5odYUUN4u4rNzdEkEmWwZN97mi1riEg@mail.gmail.com> <53483074.1050100@delphij.net> <CAHAXwYDhxmEwxtBLyZF1R1F8XENsq4FbpzVy89BN8f%2BRYU74KA@mail.gmail.com> <44bnw5uwmm.fsf@lowell-desk.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
> Portsnap uses secured access for getting updates out of Subversion The portsnap open source project pulls data insecurely using the url svn://svn.freebsd.org. The server-side code of the FreeBSD portsnap system -- a closed source fork of the open source portsnap project -- happens to use secured access for pulling data from svn. This is not a trivial point. > whereas doing "svn co" remotely generally does not. Without knowing usage statistics there is no way to describe a "general" use case for `svn co`. The security of access of that command is entirely dependent on how it is parameterized.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHAXwYBDWEUH2yDR59Aurbsrjn4W0JAH87Qk7Oumncwagu45Bg>