From owner-freebsd-security@FreeBSD.ORG  Sun Apr 13 21:07:11 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id F0565780;
 Sun, 13 Apr 2014 21:07:11 +0000 (UTC)
Received: from mail-we0-x233.google.com (mail-we0-x233.google.com
 [IPv6:2a00:1450:400c:c03::233])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 6502115C1;
 Sun, 13 Apr 2014 21:07:11 +0000 (UTC)
Received: by mail-we0-f179.google.com with SMTP id x48so7320854wes.38
 for <multiple recipients>; Sun, 13 Apr 2014 14:07:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:reply-to:in-reply-to:references:date:message-id
 :subject:from:to:cc:content-type;
 bh=visBOqDlkSx15piwinNfzMykRUJi7Jz/ZaaN6HdhvlU=;
 b=QMZWwkXBxo2O9RBwjjbI/3pYMPxNX+AHxl+d1PdAE9GCREpQV8x4SddcxCxFV9KZIb
 OQ9Peqs7rc9FP9kf2UWot6R9BtMQMP99AEyfxJxQqo8JxTrpAY+fkMdUdFvsjAuG2p4C
 hILyMem4h7MjP/P5LUJkZXmKBNBumycTRGlXZpjeto9Ke+NL+ZpapG10t3VM2aeDbBjt
 1Al2sQvKuog0jo+wzUSkhzsoNcjrrwzVfsNVeVwSlNRCkwmn4kiJVoQAq0YEetJic5pS
 41GaTP7vfqrSW1bjrDtThU4IymLGYfa6EYYoU+2sKdSVKWMuWUDyLStBYKPzDMiPqQOr
 /j6Q==
MIME-Version: 1.0
X-Received: by 10.194.1.242 with SMTP id 18mr30332986wjp.22.1397423229493;
 Sun, 13 Apr 2014 14:07:09 -0700 (PDT)
Received: by 10.217.55.138 with HTTP; Sun, 13 Apr 2014 14:07:09 -0700 (PDT)
In-Reply-To: <44bnw5uwmm.fsf@lowell-desk.lan>
References: <CAHAXwYCGkP-o0VvMXj5S8-KNA45aTvy+srjDL_=8-x9Dza5z5Q@mail.gmail.com>
 <53472B7F.5090001@FreeBSD.org>
 <CAHAXwYDdxbRimwjvPf+5odYUUN4u4rNzdEkEmWwZN97mi1riEg@mail.gmail.com>
 <53483074.1050100@delphij.net>
 <CAHAXwYDhxmEwxtBLyZF1R1F8XENsq4FbpzVy89BN8f+RYU74KA@mail.gmail.com>
 <44bnw5uwmm.fsf@lowell-desk.lan>
Date: Sun, 13 Apr 2014 16:07:09 -0500
Message-ID: <CAHAXwYBDWEUH2yDR59Aurbsrjn4W0JAH87Qk7Oumncwagu45Bg@mail.gmail.com>
Subject: Re: Retiring portsnap [was MITM attacks against portsnap and
 freebsd-update]
From: David Noel <david.i.noel@gmail.com>
To: Lowell Gilbert <freebsd-security-local@be-well.ilk.org>
Content-Type: text/plain; charset=ISO-8859-1
Cc: freebsd-security@freebsd.org, security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: David.I.Noel@gmail.com
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Apr 2014 21:07:12 -0000

> Portsnap uses secured access for getting updates out of Subversion

The portsnap open source project pulls data insecurely using the url
svn://svn.freebsd.org.

The server-side code of the FreeBSD portsnap system -- a closed source
fork of the open source portsnap project -- happens to use secured
access for pulling data from svn. This is not a trivial point.

> whereas doing "svn co" remotely generally does not.

Without knowing usage statistics there is no way to describe a
"general" use case for `svn co`. The security of access of that
command is entirely dependent on how it is parameterized.