Date: Sun, 18 Nov 2012 13:04:21 -0500 From: Gary Palmer <gpalmer@freebsd.org> To: "M. Schulte" <m-freebsd@fuglos.org> Cc: freebsd-security@freebsd.org Subject: Re: Recent security announcement and csup/cvsup? Message-ID: <20121118180421.GF24320@in-addr.com> In-Reply-To: <alpine.BSF.2.00.1211171705170.32838@m.fuglos.org> References: <20121117150556.GE24320@in-addr.com> <alpine.BSF.2.00.1211171705170.32838@m.fuglos.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 17, 2012 at 05:07:16PM +0100, M. Schulte wrote: > Hi, > > > Can someone explain why the cvsup/csup infrastructure is considered > > insecure [...] > > Speaking of cvsup security -- correct me if I'm wrong, but as far as I > know cvsup is generally vulnerable to man-in-the-attacks[0]. Hence I'd > be very happy about more and more people moving over to the portsnap > camp. > > Best, > mel > > [0] http://en.wikipedia.org/wiki/Portsnap > http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2003-11/0287.html While I haven't investigated its protocol in detail, I would tend to suspect that svn is just as vulnerable as AFAIK the FreeBSD SVN servers are running in clear text mode. And yet we are being pushed towards SVN for source access instead of cvsup. portsnap is great if you can use the official ports tree without local modifications. If you need to patch some ports locally (for whatever reason) then I believe it is less helpful. cvs/svn let you update your local ports tree while keeping your local changes. In other words: while signed updates via freebsd-update and portsnap are great for a good chunk of users, they don't address everyones needs. Regards, Gary
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121118180421.GF24320>