Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 17 Nov 2012 10:05:57 -0500
From:      Gary Palmer <gpalmer@freebsd.org>
To:        freebsd-security@freebsd.org
Subject:   Recent security announcement and csup/cvsup?
Message-ID:  <20121117150556.GE24320@in-addr.com>

next in thread | raw e-mail | index | archive | help
Hi,

Can someone explain why the cvsup/csup infrastructure is considered insecure
if the person had access to the *package* building cluster?  Is it because
the leaked key also had access to something in the chain that goes to cvsup, 
or is it because the project is not auditing the cvsup system and so the
default assumption is that it cannot be trusted to not be compromised?

If it is the latter, someone from the community could check rather than
encourage everyone who has been using csup/cvsup to wipe and reinstall
their boxes.  Unfortunately the wipe option is not possible for me right
now and my backups do go back to before the 19th of September

Thanks

Gary




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121117150556.GE24320>