From owner-freebsd-security@FreeBSD.ORG Tue Nov 20 15:45:25 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 524E61D5 for ; Tue, 20 Nov 2012 15:45:25 +0000 (UTC) (envelope-from matthew@freebsd.org) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id CDADC8FC08 for ; Tue, 20 Nov 2012 15:45:24 +0000 (UTC) Received: from rufus.webfusion.com (mail.heartinternet.co.uk [79.170.40.31]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id qAKFjK7Q028904 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 20 Nov 2012 15:45:20 GMT (envelope-from matthew@freebsd.org) X-DKIM: OpenDKIM Filter v2.5.2 smtp.infracaninophile.co.uk qAKFjK7Q028904 Authentication-Results: smtp.infracaninophile.co.uk/qAKFjK7Q028904; dkim=none (no signature); dkim-adsp=none X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host mail.heartinternet.co.uk [79.170.40.31] claimed to be rufus.webfusion.com Message-ID: <50ABA590.5090600@freebsd.org> Date: Tue, 20 Nov 2012 15:45:20 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:16.0) Gecko/20121115 Thunderbird/16.0.2 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Recent security announcement and csup/cvsup? References: <20121117150556.GE24320@in-addr.com> <20121118180421.GF24320@in-addr.com> <20121120100148.GA93826@roberto-aw.eurocontrol.fr> In-Reply-To: <20121120100148.GA93826@roberto-aw.eurocontrol.fr> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.6 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,SPF_SOFTFAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk X-Mailman-Approved-At: Tue, 20 Nov 2012 16:08:52 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Nov 2012 15:45:25 -0000 On 20/11/2012 10:01, Ollivier Robert wrote: > According to Gary Palmer on Sun, Nov 18, 2012 at 01:04:21PM -0500: >> > In other words: while signed updates via freebsd-update and portsnap >> > are great for a good chunk of users, they don't address everyones needs. > Hopefully, with the move toward kngng, there will be less need of portsnap (and /usr/ports for that matter). kngng? I had visions of Kerberized pkgng there for a moment... pkgng will have a crypto-signing mechanism for packages with per-repository public keys and so forth. It's not there yet -- stuff is awaiting review by security team people, who are (even moreso, given current events) generally insanely busy. This will allow everyone to be confident that the packages they install are as generated on the build system used to generate them. Which won't help at all if an attacker can subvert either the mechanisms by which the build system gets its source code[*], or the source repositories that code comes from -- and remember, since this is the ports, that code comes from all sorts of places of greater and lesser security. In that sense, pkgng offers no fundamental security advantage over using the ports directly yourself. pkgng will be more convenient and a lot quicker, but it isn't meant to entirely replace the ports. Cheers, Matthew [*] Including faking the SHA checksums of the distfiles, which is a little extra step that seems to elude most attackers and that has resulted in uncovering such attacks in the past.