Date: Wed, 19 Aug 2015 23:33:15 +0000 From: "Montgomery-Smith, Stephen" <stephen@missouri.edu> To: "ctm-users@freebsd.org" <ctm-users@freebsd.org> Subject: Re: Do you still need CTM? Message-ID: <55D5123A.50407@missouri.edu> In-Reply-To: <55D3E582.2030908@missouri.edu> References: <55D3E582.2030908@missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/18/2015 09:10 PM, Montgomery-Smith, Stephen wrote: > I just received an email from one of the FreeBSD people telling me=20 > that they are worried about the security threat posed by CTM. > They would like to disconnect it from the base FreeBSD system. >=20 > Personally I have become extremely happy with using subversion, and > if CTM were to disappear, I could live without it very easily. >=20 > But maybe some of you feel differently. One thing we could do is=20 > 1. Create a CTM port; 2. Put the deltas on a server other than > official FreeBSD servers; 3. Host our own mailing lists. >=20 > Honestly, I think the best thing to do is to close CTM. But if > anyone else really wants CTM, and is willing to do (2) and (3), I > can easily do (1). 1. One thing I can do is to keep the CTM deltas being generated, and keep the following web page open: http://web.missouri.edu/~stephen/CTM/ The only thing I cannot store are the svn-cur xEmpty files, because I haven't been given enough space. I cannot maintain any kind of mailing list. Also, since this web space belongs to the University of Missouri, they might take it down some day. 2. I am sympathetic to the security concerns. Having seen the recent security advisories, it seems to me that no-one can predict how some odd bit of code on the side will one day become a problem. And I think to do a full audit of the ctm code would be a lot of work. If we disconnect CTM from the FreeBSD project, and run it privately from the side, then it doesn't decrease our security problems. But it does decrease FreeBSD's potential security problems. And if the CTM code gets hit by some weird virus (e.g. a forged email sending a delta that lays your computers open to the world), the FreeBSD project won't then get embarrassed. 3. I'm not so sympathetic to the issue of how much space the svn repository takes. Disk space is so cheap these days. But presumably people who are concerned over that issue don't need the svn-cur CTM deltas, and only want ports-cur or src-*. Then what I offer in point (1) should be satisfactory. Stephen -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQEbBAEBAgAGBQJV1RI6AAoJEC3xK9GaktgHDIsH9RXTHPC7ZUYpJMk8dljgYyEf Kl3KE/GetSAbrB2H32lX6w+J7h3E/Ly48CMRzKRcSX4AT6z+6PAW4OzlyXaS0nav FN8cJDCyFcy9v+BElpn2iv68E3UYzcof16BvtoMNUnV70XGq8QX3wWGPjD0c2opK JxuHSCr86PUZNd9UmXSv4TUMC06w05HHp5xLI0TATH+NEOJ3S6qw7NhZUCaYfd9e AJY7AH46sP42SnPL4sWNStsZVrIvfSUVJiv2bKRzrmnLkyznkzgHOuEX9t+zWKHF CaG8vDeu3CmL/XnEOZvuyf0cMUoUFSn3t7UyWqNCoZdzG7Omw85VJLnKo6mkmQ=3D=3D =3D1FMR -----END PGP SIGNATURE-----=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55D5123A.50407>