Date: Sun, 10 Dec 2017 19:52:32 +0000 From: Igor Mozolevsky <mozolevsky@gmail.com> To: Yuri <yuri@rawbw.com> Cc: freebsd security <freebsd-security@freebsd.org>, RW <rwmaillists@googlemail.com> Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <CADWvR2hATJ7BCFdz-jwsM4f=1Anp7RcRYK1jf-nUXt7zC5bkiA@mail.gmail.com> In-Reply-To: <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com> References: <97f76231-dace-10c4-cab2-08e5e0d792b5@rawbw.com> <5A2709F6.8030106@grosbein.net> <11532fe7-024d-ba14-0daf-b97282265ec6@rawbw.com> <8788fb0d-4ee9-968a-1e33-e3bd84ffb892@heuristicsystems.com.au> <20171205220849.GH9701@gmail.com> <20171205231845.5028d01d@gumby.homeunix.com> <CADWvR2gVn8H5h6LYB5ddwUHYwDtiLCuYndsXhJywi7Q9vNsYvw@mail.gmail.com> <20171210173222.GF5901@funkthat.com> <CADWvR2iGQOtcU=FnU-fNsso2eLCCQn=swnOLoqws%2B33V8VzX1Q@mail.gmail.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <CADWvR2j_LLEPKnSynRRmP4LG3mypdkNitwg%2B7vSh=iuJ=JU09Q@mail.gmail.com> <fd888f6b-bf16-f029-06d3-9a9b754dc676@rawbw.com> <CADWvR2jnxVwXmTA9XpZhGYnCAhFVifqqx2MvYeSeHmYEybaNnA@mail.gmail.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <CADWvR2gkFGY8CH5L7N67z8mfOux=Vjv8eobpK=pOpCKW3ysAkA@mail.gmail.com> <913910fb-723b-e450-8f02-4c26b3c15287@rawbw.com> <CADWvR2hR2-DPayNVOUvTxMQ=tj7YpotVzKFHGQFPoC5ZGDvnNA@mail.gmail.com> <898df78d-c0b1-9e9f-0630-2665c3939960@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10 December 2017 at 19:47, Yuri <yuri@rawbw.com> wrote: > On 12/10/17 11:36, Igor Mozolevsky wrote: > > If I give my bank card and PIN to someone who I don't trust, I can't > complain that my bank doesn't take adequate precautions if that person > drains my bank account! You choose to go down a route that **you** know is > compromised! > > > 1. The user has set up the subversion source trees based on the *current > advice* here for anonymous checkout: https://wiki.freebsd.org/ > PortsSubversionPrimer > > > % svn co http://svn.freebsd.org/ports/head /usr/ports > > 2. The user heard that Tor improves his anonymity, and decided to use it. > > 3. The user updated the sources through Tor and got hacked. > > Where did this user go wrong, or where has he been irresponsible? > > > The fact that this page https://wiki.freebsd.org/PortsSubversionPrimer still recommends http is appalling! > > The freebsd wiki doesn't recommend Tor, does it?! If the user was so badly educated about Tor, why is it FreeBSD's problem, honestly? What you're saying is no different, than "Alice" doesn't want to download FreeBSD herself, so she asks "Eve" to get her a CD with the source code. Unbeknownst to Alice, Eve replaces a bunch of files on the CD and present the CD to Alice as a bona fide copy. The problem in the chain is Eve (or Tor, in your case) not where Eve got the CD from! This discussion is turning circular and, quite frankly, ridiculous! -- Igor M.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADWvR2hATJ7BCFdz-jwsM4f=1Anp7RcRYK1jf-nUXt7zC5bkiA>