Date: Sat, 17 Nov 2012 15:43:13 -0759 From: David Thiel <lx@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Re: Recent security announcement and csup/cvsup? Message-ID: <20121117234248.GB11298@redundancy.redundancy.org> In-Reply-To: <20121117150556.GE24320@in-addr.com> References: <20121117150556.GE24320@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 17, 2012 at 10:05:33AM -0500, Gary Palmer wrote: > Can someone explain why the cvsup/csup infrastructure is considered insecure > if the person had access to the *package* building cluster? Is it because > the leaked key also had access to something in the chain that goes to cvsup, > or is it because the project is not auditing the cvsup system and so the > default assumption is that it cannot be trusted to not be compromised? Regardless of the circumstances of the incident, use of cvsup/csup has always been horrendously dangerous. People should regard any code retrieved over this channel to have been potentially compromised by a network attacker. Portsnap. Srsly. -David
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121117234248.GB11298>