From owner-freebsd-security@FreeBSD.ORG Wed Oct 27 07:42:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28C3A16A4CE for ; Wed, 27 Oct 2004 07:42:07 +0000 (GMT) Received: from mx1.lost-oasis.net (misc-out.lost-oasis.net [212.85.153.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6074E43D2D for ; Wed, 27 Oct 2004 07:42:06 +0000 (GMT) (envelope-from bertux@frenchcube.net) Received: from ca-sqy-2-109.w80-8.abo.wanadoo.fr ([80.8.55.109] helo=[192.168.1.6]) by mx1.lost-oasis.net with asmtp (Exim 4.34) id 1CMiRZ-00048o-2p; Wed, 27 Oct 2004 09:42:05 +0200 Message-ID: <417F5146.5010506@frenchcube.net> Date: Wed, 27 Oct 2004 09:41:58 +0200 From: Bertrand JUGLAS User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Colin Percival References: <417EAC7E.2040103@wadham.ox.ac.uk> In-Reply-To: <417EAC7E.2040103@wadham.ox.ac.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: please test: Secure ports tree updating X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Oct 2004 07:42:07 -0000 Colin Percival wrote: > CVSup is slow, insecure, and a memory hog. However, until now > it's been the only option for keeping an up-to-date ports tree, > and (thanks to all of the recent work on vuxml and portaudit) > it has become quite obvious that keeping an up-to-date ports > tree is very important. > > To provide a secure, lightweight, and fast alternative to CVSup, > I've written portsnap. As the name suggests, this is a system > for building, *signing*, and distributing compressed snapshots > of the ports tree, which can then be extracted into /usr/ports > as needed. > > Portsnap is: > * Lightweight. It's a 15kB shell script which uses under 50kB > of other binaries. > * Designed for frequent updating. Unlike CVSup, it doesn't > need to transmit a complete list of files in the ports tree each > time it runs; in fact, if there are no updates available, it only > needs to fetch a single file of 256 bytes. > * Secure. Using code from FreeBSD Update, the ports snapshots > are signed using a 2048-bit RSA key. > * HTTP-only. That's right, you don't need to beg your network > maintainer to allow outgoing connections on port 5999 any more. :-) > > Right now I'm only building snapshots once per day, but after > this has had some testing I'll increase that to once every 1-2 > hours. Similarly, portsnap isn't in the ports tree yet, but it > will appear there once I'm satisfied with the testing that it > has received. > > So please go and test! Portsnap can be downloaded from > http://www.daemonology.net/portsnap/ > > Colin Percival > PS. I'm not sure how many testers this message is going to elicit, > nor how much bandwidth portsnap.daemonology.net can comfortably > handle. I may come back tomorrow and ask for some mirrors. :-) > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" I'm going to test it on a fresh FreeBSD 4.10-RELEASE install and if the download file size is small i will mirror it on my website. I will later post results from my testing. i hope to read from you soon, Bertrand Juglas