From owner-freebsd-security@freebsd.org Tue Dec 12 18:15:32 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1E04CEA1670 for ; Tue, 12 Dec 2017 18:15:32 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C2EE069641 for ; Tue, 12 Dec 2017 18:15:31 +0000 (UTC) (envelope-from matthew.finkel@gmail.com) Received: by mail-qt0-x22d.google.com with SMTP id e2so49588716qti.0 for ; Tue, 12 Dec 2017 10:15:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:date:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=CAlwfPGqBj+2Z6coYkXwYoR0mu7lMJMI1GNeO8Y4V7M=; b=sSEGiUEr04+N8nQxHfSKDljw6gJKxHr83dq6VX80UBEKbi1aAcXwQdGEsmrKAXBtIy Dm4OKXstswy91sapF/z+/AgosHQEjT6xCffq3on4WbPrJqFZ+z2QFMHvySU94TbZsNyj 7YUpwmrlHH4m69nG5/c9oI7W/1tBWQ7jJgEr2ft8ounEtiKad5jtdwckg4BypP1OuAEh rVnUewi3Qb3Biss+KG4nW+oSNqBvPEZGJFGbIg3RduaQe9RzTOWcQ1oAeG6BhLjeVcAm 58MWsjH/LJDb+dsYieudJPiWkA1cd984Vc8vkohyppAHowZ8hU7OYLA90KyEX0/5DaV6 fAfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:date:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=CAlwfPGqBj+2Z6coYkXwYoR0mu7lMJMI1GNeO8Y4V7M=; b=cvy8YySGoPd8F8WxUH1Un8HpEwRVT+xFk7Q+LmXO/+UC9S3TFAxTeZwYpWH3cUXa+h ixfWwEf2q8sg0q8lMDfTlk7aQ5YGi8g1fxF0r+u7jiuSS6dtOhwlziFQjWzWacBOWNAt hu1lXQWsUuBoweHybTz6wumwLVBAsiKk2ertzzHPgpq1KCRGEKrm/TB5EwNyhWFTO8if 4h7hwr4Jd40PaWM2B4hZggieJHADObZsf6+GqO0EKEa0GpSU0IjzZ39oWRMvzV9lqMD/ fffB4glmtcY8H7tNs7JSYaFVcC2DnIQKrfuDcmifYubzNN/yG+j3X7KwKfoILvKvFri6 0SNQ== X-Gm-Message-State: AKGB3mLm1Hsw7KVrcWRV4v5pRpD6OEiCYTYuZhNfzIxxY4U/iJFRhfV6 SGiTGkOVfcfWNAuBaEiYRB2rPfvp X-Google-Smtp-Source: ACJfBotTR0y9bp2yHA9HqL6semcfCWa0bhVnLzdxkAo/M3nk6oknYNbwwJ30h3UnZoO4GQPs4m6cEw== X-Received: by 10.200.56.137 with SMTP id f9mr6455191qtc.116.1513102530815; Tue, 12 Dec 2017 10:15:30 -0800 (PST) Received: from localhost ([172.56.35.172]) by smtp.gmail.com with ESMTPSA id z126sm6209583qka.70.2017.12.12.10.15.30 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Tue, 12 Dec 2017 10:15:30 -0800 (PST) From: Matthew Finkel X-Google-Original-From: Matthew Finkel Date: Tue, 12 Dec 2017 18:15:28 +0000 To: Jan Bramkamp Cc: freebsd-security@freebsd.org Subject: Re: http subversion URLs should be discontinued in favor of https URLs Message-ID: <20171212181528.trlevbjkl2aeqgrz@localhost> References: <19bd6d57-4fa6-24d4-6262-37e1487d7ed6@rawbw.com> <5A2DB80D.3020309@sorbs.net> <20171210225326.GK5901@funkthat.com> <99305.1512947694@critter.freebsd.dk> <86d13kgnfh.fsf@desk.des.no> <79567.1513083576@critter.freebsd.dk> <26440.1513088888@critter.freebsd.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Dec 2017 18:15:32 -0000 On Tue, Dec 12, 2017 at 06:22:19PM +0100, Jan Bramkamp wrote: > > On 12.12.17 15:28, Poul-Henning Kamp wrote: > > For the FreeBSD SVN tree, this could almost be as simple as posting > > an email, maybe once a week, with the exact revision checked out > > and the PGP signed output of: > > > > svn co ... && find ... -print | sort | xargs cat | sha256 > > > > Such an archive would also be invaluable for reauthenticating in > > case, somebody ever manages to do something evil to our repo. > > > > > Solve the problem at the correct location -- either fix svn to sign and > > > verify updates or dump it for something that can and use that existing > > > mechanism (e.g. git) > > > > As I mentioned humoursly to you in private email, I don't think > > this particular problem will reach consensus any sooner if you > > also tangling it in the SVN vs GIT political issue. > > How about an uncompressed tarball signed with signify? It could be > replicated with rsync (or zsync) and getting security patches wouldn't > require lots of network bandwidth. Portsnap already provides signed snapshots of the tree from mirrors. The main problem is checking out the full tree as-is from the subversion servers. > > I still prefer to encrypt every transfer with PFS only protocols, but even > with transport encryption in place content authentication is still valuable > because it allows the use of caching proxies.