Date: Tue, 18 Nov 2003 20:40:56 +0100 From: Steve O'Hara-Smith <steve@sohara.org> To: Colin Percival <colin.percival@wadham.ox.ac.uk> Cc: caroloveres@yahoo.com Subject: Re: Secure updating of OS and ports Message-ID: <20031118204056.66a9cf7a.steve@sohara.org> In-Reply-To: <5.0.2.1.1.20031118163606.031db020@popserver.sfu.ca> References: <xzp7k1yxdev.fsf@dwp.des.no> <5.0.2.1.1.20031117165641.03101720@popserver.sfu.ca> <xzp7k1yxdev.fsf@dwp.des.no> <5.0.2.1.1.20031118163606.031db020@popserver.sfu.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 18 Nov 2003 16:42:52 +0000
Colin Percival <colin.percival@wadham.ox.ac.uk> wrote:
...
CP> segments on which the above reside. It's *almost* as secure as http
CP> -- but not quite, since the mirror system provides another point of
CP> attack.
CP> If everyone used ssh tunnels to cvsup-master, this wouldn't be an
CP> issue... but that isn't an option.
You could raise the bar by pulling the repository from one mirror
and the source tree from another and doing a cvs diff. Refer to the
mirrors by IP address to push the DNS issue out of the way. Confirm
connections with netstat -anf inet once established. Wait 24 hours
before deploying - if anything got through that lot it is likely to be
widespread and noticed or someone very determined who has it in for you.
--
C:>WIN | Directable Mirrors
The computer obeys and wins. |A Better Way To Focus The Sun
You lose and Bill collects. | licenses available - see:
| http://www.sohara.org/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031118204056.66a9cf7a.steve>