From owner-freebsd-security@freebsd.org Tue Dec 12 14:28:27 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D3E4DE9A2CD for ; Tue, 12 Dec 2017 14:28:27 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 8F8B77FC2B for ; Tue, 12 Dec 2017 14:28:26 +0000 (UTC) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (unknown [192.168.55.3]) by phk.freebsd.dk (Postfix) with ESMTP id C74A52736D; Tue, 12 Dec 2017 14:28:24 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.15.2/8.15.2) with ESMTPS id vBCES96W026442 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 12 Dec 2017 14:28:09 GMT (envelope-from phk@critter.freebsd.dk) Received: (from phk@localhost) by critter.freebsd.dk (8.15.2/8.15.2/Submit) id vBCES886026441; Tue, 12 Dec 2017 14:28:08 GMT (envelope-from phk) To: Karl Denninger cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs In-reply-to: From: "Poul-Henning Kamp" References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <26439.1513088888.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Tue, 12 Dec 2017 14:28:08 +0000 Message-ID: <26440.1513088888@critter.freebsd.dk> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 14:28:27 -0000 -------- In message , Karl Denn= inger writes: >Now the question becomes this -- is the proper means to handle this via >TLS (using that root cert) OR should the *transport* be fixed so that >https doesn't need to be used? I certainly would caution against inventing more encrypted transports than we already have. The only feasible alternative I see is SSH, provided we can persuade it somehow to not authenticate the client. If this requires a hacked sshd(8) which just says "welcome" I would be very worried about it coexisting with a untainted sshd on any system. >I argue the second, because the goal when it comes to source >distributions is ensuring that the code you transfer is bit-wise >identical to the code on the FreeBSD project repositories *which can be >mirrored.* I am personally a very big fan of integrity checks which does not also encrypt the content with an ephemeral key for exactly that reason. Most of the people who try to force everything behind HTTPS don't even know you can do that. For the FreeBSD SVN tree, this could almost be as simple as posting an email, maybe once a week, with the exact revision checked out and the PGP signed output of: svn co ... && find ... -print | sort | xargs cat | sha256 Such an archive would also be invaluable for reauthenticating in case, somebody ever manages to do something evil to our repo. >Solve the problem at the correct location -- either fix svn to sign and >verify updates or dump it for something that can and use that existing >mechanism (e.g. git) As I mentioned humoursly to you in private email, I don't think this particular problem will reach consensus any sooner if you = also tangling it in the SVN vs GIT political issue. -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= .