Date: Sun, 18 Nov 2012 13:17:11 -0500 From: Gary Palmer <gpalmer@freebsd.org> To: Chris Rees <utisoft@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: Recent security announcement and csup/cvsup? Message-ID: <20121118181711.GG24320@in-addr.com> In-Reply-To: <CADLo83-kcQWBUXwtWka5Sd%2BsNaDFGBxZuKbDN5g5ZDOf1cuGQw@mail.gmail.com> References: <20121117150556.GE24320@in-addr.com> <CADLo83-kcQWBUXwtWka5Sd%2BsNaDFGBxZuKbDN5g5ZDOf1cuGQw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 17, 2012 at 03:14:00PM +0000, Chris Rees wrote: > On 17 Nov 2012 15:06, "Gary Palmer" <gpalmer@freebsd.org> wrote: > > > > Hi, > > > > Can someone explain why the cvsup/csup infrastructure is considered > insecure > > if the person had access to the *package* building cluster? Is it because > > the leaked key also had access to something in the chain that goes to > cvsup, > > or is it because the project is not auditing the cvsup system and so the > > default assumption is that it cannot be trusted to not be compromised? > > > > If it is the latter, someone from the community could check rather than > > encourage everyone who has been using csup/cvsup to wipe and reinstall > > their boxes. Unfortunately the wipe option is not possible for me right > > now and my backups do go back to before the 19th of September > > Checks are being made, but CVS makes it slow work. > > It's incredibly unlikely that there will be a problem, but the Project has > to be cautious in recommendations. Thanks Chris for the update. May I politely suggest that the web page as I read it yesterday was more along the lines of "assume your machine is rooted, reinstall it". The reality is the message should have been "we cannot prove cvs/cvsup was not affected yet, but we are continuing to investigate. If you want to be really sure you weren't affected, reinstall from known clean media. Else wait for further updates". While I understand some people, especially the more security minded people, want to deprecate all access that isn't signed and secured, its no reason to cause people unnecessary work/panic. Plus signing is only as good as the security of the systems doing the builds and signing the content. Its just been proven that they may not be as secure as expected. Regards, Gary
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121118181711.GG24320>