From owner-freebsd-security@FreeBSD.ORG Fri Apr 25 18:02:28 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 09B6786D for ; Fri, 25 Apr 2014 18:02:28 +0000 (UTC) Received: from gproxy4-pub.mail.unifiedlayer.com (gproxy4-pub.mail.unifiedlayer.com [69.89.23.142]) by mx1.freebsd.org (Postfix) with SMTP id C82F213AF for ; Fri, 25 Apr 2014 18:02:27 +0000 (UTC) Received: (qmail 29552 invoked by uid 0); 25 Apr 2014 18:02:27 -0000 Received: from unknown (HELO cmgw3) (10.0.90.84) by gproxy4.mail.unifiedlayer.com with SMTP; 25 Apr 2014 18:02:27 -0000 Received: from box543.bluehost.com ([74.220.219.143]) by cmgw3 with id uJ2P1n00A36DqkS01J2S9k; Fri, 25 Apr 2014 12:02:27 -0600 X-Authority-Analysis: v=2.1 cv=XPOjF2RE c=1 sm=1 tr=0 a=m1eD20qHdBbyQr3wvGb0tQ==:117 a=m1eD20qHdBbyQr3wvGb0tQ==:17 a=cNaOj0WVAAAA:8 a=f5113yIGAAAA:8 a=J0QyKEt1u0cA:10 a=CJn5o44HT8MA:10 a=ZzjhlJrv0foA:10 a=kj9zAlcOel0A:10 a=hBmbxFWgAAAA:8 a=O5JQB85wRqYA:10 a=9NnC__TRAO0A:10 a=70qzlKQjAAAA:8 a=mT0hdOR4Eu6LQJxTT4EA:9 a=CjuIK1q_8ugA:10 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=apotheon.net; s=default; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date; bh=1JgLWYJ8+FFvqeWw9VqOGTlCtHckFQK00hRBZsxXAiw=; b=usguJFlXKERIHg147Vf9kebahQHrqR9U4oNK53UfQnoFxkV5igXg1zqDBHi/zpxCkOqhcglvSFd3+Cw/oYeZPJIx0IyOPhc9e1vrX/JlIY+eThugMC66d5M61iQN+aZB; Received: from [98.245.97.34] (port=62989 helo=localhost) by box543.bluehost.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.82) (envelope-from ) id 1WdkS6-0002TF-D4 for freebsd-security@freebsd.org; Fri, 25 Apr 2014 12:02:22 -0600 Date: Fri, 25 Apr 2014 12:02:17 -0600 From: Chad Perrin To: freebsd-security@freebsd.org Subject: Re: Retiring portsnap [was MITM attacks against portsnap and freebsd-update] Message-ID: <20140425180217.GC8508@glaze.hydra> Mail-Followup-To: freebsd-security@freebsd.org References: <53472B7F.5090001@FreeBSD.org> <53483074.1050100@delphij.net> <44bnw5uwmm.fsf@lowell-desk.lan> <20140414144155.C55844@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-Identified-User: {2737:box543.bluehost.com:apotheon:apotheon.net} {sentby:smtp auth 98.245.97.34 authed with code@apotheon.net} X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Apr 2014 18:02:28 -0000 On Mon, Apr 14, 2014 at 12:36:28AM -0500, David Noel wrote: > > Indeed it is not. David's solution - which seems to amount to removing > > portsnap and herding the cats at home to DTRT about using svn securely - > > relies on other cats being as smart and aware of the ramifications as he > > is - a highly questionable proposition especially for the numerous more > > naive users that portsnap renders the process of securely upgrading the > > ports tree just about as simple and consistent as it can be. > > On the one hand I do get what you're saying. On the other I don't know > that you're fairly characterizing the typical portsnap user. Building > ports from source is not something I would think a novice FreeBSD user > would do (make can be--and often is--an absolute nightmare!). Rather, > I would imagine a novice would be using something like pkgng. When I was a novice FreeBSD user, lo these many many moons ago when the world was young and neckbearded Unix gods roamed the earth, I installed from source using the ports system. > > > > David, perhaps your obvious talent for auditing the portsnap code and > > its server-side configuration might be better applied to remedying any > > perceived vulnerabilities in conjunction with present and past security > > officers and teams? > > Thanks. I'm happy to, and it's on my to-do list, the only problem is > that I'm swamped with other projects and it's been sitting on that > list for the past 2 years. It seems to be a similar problem for Colin > and the Security Team. I'm hoping that by bringing this bug to the > list that someone with more free time will be able to patch it. Would you be willing to put the time into training up someone to do that work? I'm a bit of a fixer-upper, but I am willing and eager to contribute. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]