From owner-freebsd-security@FreeBSD.ORG Sat Nov 17 23:53:40 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7BED857B for ; Sat, 17 Nov 2012 23:53:40 +0000 (UTC) (envelope-from lx@redundancy.redundancy.org) Received: from redundancy.redundancy.org (75-101-96-57.dsl.static.sonic.net [75.101.96.57]) by mx1.freebsd.org (Postfix) with SMTP id 3D2198FC0C for ; Sat, 17 Nov 2012 23:53:39 +0000 (UTC) Received: (qmail 6386 invoked by uid 1001); 17 Nov 2012 23:43:13 -0000 Date: Sat, 17 Nov 2012 15:43:13 -0759 From: David Thiel To: freebsd-security@freebsd.org Subject: Re: Recent security announcement and csup/cvsup? Message-ID: <20121117234248.GB11298@redundancy.redundancy.org> References: <20121117150556.GE24320@in-addr.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20121117150556.GE24320@in-addr.com> X-OpenPGP-Key-fingerprint: 482A 8C46 C844 7E7C 8CBC 2313 96EE BEE5 1F4B CA13 X-OpenPGP-Key-available: http://redundancy.redundancy.org/lx.gpg X-Face: %H~{$1~NOw1y#%mM6{|4:/ List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Nov 2012 23:53:40 -0000 On Sat, Nov 17, 2012 at 10:05:33AM -0500, Gary Palmer wrote: > Can someone explain why the cvsup/csup infrastructure is considered insecure > if the person had access to the *package* building cluster? Is it because > the leaked key also had access to something in the chain that goes to cvsup, > or is it because the project is not auditing the cvsup system and so the > default assumption is that it cannot be trusted to not be compromised? Regardless of the circumstances of the incident, use of cvsup/csup has always been horrendously dangerous. People should regard any code retrieved over this channel to have been potentially compromised by a network attacker. Portsnap. Srsly. -David