From owner-freebsd-security Mon May 6 15: 1:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 4FEFD37B404 for ; Mon, 6 May 2002 15:01:05 -0700 (PDT) Received: (qmail 6736 invoked by uid 1000); 6 May 2002 22:01:04 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 6 May 2002 22:01:04 -0000 Date: Mon, 6 May 2002 15:01:03 -0700 (PDT) From: Jason Stone X-X-Sender: To: Subject: Re: cvsup/install over ssh? In-Reply-To: <20020506231634.A33284@energyhq.homeip.net> Message-ID: <20020506144118.D6630-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Why doesn't cvsup have the option to be encrypted via ssh like > anoncvs does? > > IMHO nonsense, no sensitive data is exchanged between client and > server. > Hmmkay, let me get this straight, you want to encrypt an anon ftp > session? And the purpose would be? 1) Encryption provides more than privacy - it also provides authenticity. Other package management systems (eg, rpm, dpkg) allow for pgp-signing each binary package. Using ssl certs to set up the connection to the cvsup server would provide similar authenticity functionality to cvsup'ed source upgrades. Note that if you're worried about burning too much cpu, it would be sufficient to use the equivalent of ssh v2 with a null cipher - ie, to just do per-packet MAC'ing and not actually encrypt the packet payloads. 2) People use cvsup for more than just freebsd sources - it's a generally useful tool. I was using cvsup as part of website publication some time ago - I just proxied it over a stunnel and it worked okay. Maybe we can run cvsup behind a stunnel on one of the official cvsup mirrors? -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE81v0gswXMWWtptckRAspkAJwKmSRMs/VpqnoLbgisZ9qLfXHUuACfTlA4 Zqoxeezz+oiWM6cPT0siwEE= =l4vD -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message