From owner-freebsd-questions@FreeBSD.ORG  Sat Jan 16 20:05:39 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D2B121065676
	for <freebsd-questions@freebsd.org>;
	Sat, 16 Jan 2010 20:05:39 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 409528FC18
	for <freebsd-questions@freebsd.org>;
	Sat, 16 Jan 2010 20:05:39 +0000 (UTC)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1])
	(authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.4/8.14.3) with ESMTP id
	o0GK5Xva013552; Sat, 16 Jan 2010 20:05:34 GMT
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk o0GK5Xva013552
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=infracaninophile.co.uk; s=201001-infracaninophile; t=1263672334;
	bh=G3fcme9R9XLq0KflDfdqoVkI6OchL2cVZYWStVyNEw4=;
	h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References:
	In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To:
	Message-ID:Mime-Version:References:To;
	z=Message-ID:=20<4B521C08.8050803@infracaninophile.co.uk>|Date:=20S
	at,=2016=20Jan=202010=2020:05:28=20+0000|From:=20Matthew=20Seaman=
	20<m.seaman@infracaninophile.co.uk>|Organization:=20Infracaninophi
	le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20100114)|MIME-Vers
	ion:=201.0|To:=20Angelin=20Lalev=20<lalev.angelin@gmail.com>|CC:=2
	0freebsd-questions@freebsd.org|Subject:=20Re:=20Secure=20method=20
	for=20fetching=20freebsd=20sources=20?|References:=20<532b03711001
	161041v2400389v915c0fee80dcd840@mail.gmail.com>|In-Reply-To:=20<53
	2b03711001161041v2400389v915c0fee80dcd840@mail.gmail.com>|X-Enigma
	il-Version:=200.95.6|Content-Type:=20multipart/signed=3B=20micalg=
	3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-signature"=3B=
	0D=0A=20boundary=3D"------------enig10D37803F6ACE133F6785072";
	b=svwMZmFdgehIFWIZfCPkzl2awqZk/GP7FfccFXag1N2YYKv+yX/I2U6z6tQ+iPNLg
	6/2y3OLu0MJmJr+1dWKlyGikXSSvlHEq2LazZIXs60HzgwlAOegtFfrQUJM4GsyLvC
	ytThifustp0naMNahm844nmICC3CZs8PF7G0pwWE=
X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host
	localhost [IPv6:::1] claimed to be
	happy-idiot-talk.infracaninophile.co.uk
Message-ID: <4B521C08.8050803@infracaninophile.co.uk>
Date: Sat, 16 Jan 2010 20:05:28 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 2.0.0.23 (X11/20100114)
MIME-Version: 1.0
To: Angelin Lalev <lalev.angelin@gmail.com>
References: <532b03711001161041v2400389v915c0fee80dcd840@mail.gmail.com>
In-Reply-To: <532b03711001161041v2400389v915c0fee80dcd840@mail.gmail.com>
X-Enigmail-Version: 0.95.6
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig10D37803F6ACE133F6785072"
X-Virus-Scanned: clamav-milter 0.95.3 at
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
	DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	happy-idiot-talk.infracaninophile.co.uk
Cc: freebsd-questions@freebsd.org
Subject: Re: Secure method for fetching freebsd sources ?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jan 2010 20:05:40 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig10D37803F6ACE133F6785072
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Angelin Lalev wrote:
> Greetings,
>=20
> Which is the *secure* way of fetching freebsd sources?
> Cvsup looks prone to MiM attacks, CTM looks promising, but only if I
> have been member of the appropriate ctm list since the release of 8.0.
> (it seems that the ctm deltas on the ftp are not signed.).
> Do FreeBSD cvs servers support ssh instead of rsh access as OpenBSD ser=
ver do?
> Other alternatives?
>=20
> Please note that this is not a theoretical question. I really have a
> system which i'll put in a place I don't trust, so I'll try to encrypt
> everything from the disk to the connections which I will use for
> updating.

You can use freebsd-update(8) to fetch system sources as well as binary
updates.  Updates are cryptographically secured -- whether this is enough=

for your application is a judgement call you will have to make.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW


--------------enig10D37803F6ACE133F6785072
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAktSHA0ACgkQ8Mjk52CukIyq4QCfWNPh8BRdIKh3wnAp43UEzd31
rhsAn3R2w2oVsHOw+zsj501ZZEgnuShf
=H+gA
-----END PGP SIGNATURE-----

--------------enig10D37803F6ACE133F6785072--