From owner-freebsd-security@freebsd.org Tue Dec 12 17:22:28 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9EC96E9F922 for ; Tue, 12 Dec 2017 17:22:28 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from mail.rlwinm.de (mail.rlwinm.de [138.201.35.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 60EAD668F7 for ; Tue, 12 Dec 2017 17:22:27 +0000 (UTC) (envelope-from crest@rlwinm.de) Received: from crest.bultmann.eu (unknown [IPv6:2a00:c380:c0d5:1:3586:b321:4e74:8584]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.rlwinm.de (Postfix) with ESMTPSA id 2C7594F84 for ; Tue, 12 Dec 2017 17:22:20 +0000 (UTC) Subject: Re: http subversion URLs should be discontinued in favor of https URLs To: freebsd-security@freebsd.org References: <20171205231845.5028d01d@gumby.homeunix.com> <20171210173222.GF5901@funkthat.com> <5c810101-9092-7665-d623-275c15d4612b@rawbw.com> <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> <26440.1513088888@critter.freebsd.dk> From: Jan Bramkamp Message-ID: Date: Tue, 12 Dec 2017 18:22:19 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <26440.1513088888@critter.freebsd.dk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 17:22:28 -0000 On 12.12.17 15:28, Poul-Henning Kamp wrote: > For the FreeBSD SVN tree, this could almost be as simple as posting > an email, maybe once a week, with the exact revision checked out > and the PGP signed output of: > > svn co ... && find ... -print | sort | xargs cat | sha256 > > Such an archive would also be invaluable for reauthenticating in > case, somebody ever manages to do something evil to our repo. > >> Solve the problem at the correct location -- either fix svn to sign and >> verify updates or dump it for something that can and use that existing >> mechanism (e.g. git) > > As I mentioned humoursly to you in private email, I don't think > this particular problem will reach consensus any sooner if you > also tangling it in the SVN vs GIT political issue. How about an uncompressed tarball signed with signify? It could be replicated with rsync (or zsync) and getting security patches wouldn't require lots of network bandwidth. I still prefer to encrypt every transfer with PFS only protocols, but even with transport encryption in place content authentication is still valuable because it allows the use of caching proxies.