Date: Fri, 25 Apr 2014 12:02:17 -0600 From: Chad Perrin <code@apotheon.net> To: freebsd-security@freebsd.org Subject: Re: Retiring portsnap [was MITM attacks against portsnap and freebsd-update] Message-ID: <20140425180217.GC8508@glaze.hydra> In-Reply-To: <CAHAXwYBXz80JXhYRknJQoimzU37ZMPjNJ5E2hn8FD0qL6PhKMw@mail.gmail.com> References: <CAHAXwYCGkP-o0VvMXj5S8-KNA45aTvy%2BsrjDL_=8-x9Dza5z5Q@mail.gmail.com> <53472B7F.5090001@FreeBSD.org> <CAHAXwYDdxbRimwjvPf%2B5odYUUN4u4rNzdEkEmWwZN97mi1riEg@mail.gmail.com> <53483074.1050100@delphij.net> <CAHAXwYDhxmEwxtBLyZF1R1F8XENsq4FbpzVy89BN8f%2BRYU74KA@mail.gmail.com> <44bnw5uwmm.fsf@lowell-desk.lan> <20140414144155.C55844@sola.nimnet.asn.au> <CAHAXwYBXz80JXhYRknJQoimzU37ZMPjNJ5E2hn8FD0qL6PhKMw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 14, 2014 at 12:36:28AM -0500, David Noel wrote: > > Indeed it is not. David's solution - which seems to amount to removing > > portsnap and herding the cats at home to DTRT about using svn securely - > > relies on other cats being as smart and aware of the ramifications as he > > is - a highly questionable proposition especially for the numerous more > > naive users that portsnap renders the process of securely upgrading the > > ports tree just about as simple and consistent as it can be. > > On the one hand I do get what you're saying. On the other I don't know > that you're fairly characterizing the typical portsnap user. Building > ports from source is not something I would think a novice FreeBSD user > would do (make can be--and often is--an absolute nightmare!). Rather, > I would imagine a novice would be using something like pkgng. When I was a novice FreeBSD user, lo these many many moons ago when the world was young and neckbearded Unix gods roamed the earth, I installed from source using the ports system. > > > > David, perhaps your obvious talent for auditing the portsnap code and > > its server-side configuration might be better applied to remedying any > > perceived vulnerabilities in conjunction with present and past security > > officers and teams? > > Thanks. I'm happy to, and it's on my to-do list, the only problem is > that I'm swamped with other projects and it's been sitting on that > list for the past 2 years. It seems to be a similar problem for Colin > and the Security Team. I'm hoping that by bringing this bug to the > list that someone with more free time will be able to patch it. Would you be willing to put the time into training up someone to do that work? I'm a bit of a fixer-upper, but I am willing and eager to contribute. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140425180217.GC8508>