Date: Thu, 17 Apr 2014 15:22:08 +0000 (UTC) From: Christian Weisgerber <naddy@mips.inka.de> To: freebsd-hackers@freebsd.org Subject: Re: MITM attacks against portsnap and freebsd-update Message-ID: <slrnlkvsd0.1tt8.naddy@lorvorc.mips.inka.de> References: <CAHAXwYCGkP-o0VvMXj5S8-KNA45aTvy%2BsrjDL_=8-x9Dza5z5Q@mail.gmail.com> <2012148.SzKMgBGQYg@desktop.reztek>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2014-04-11, Matthew Rezny <matthew@reztek.cz> wrote: > I agree portsnap could be replaced, but SVNlite isn't the answer. Instead, I > suggest rsync. Rsync is fast to do the initial fetch and even faster to do the > update. Rsync performs poorly with large directory trees. Each run, it stat(2)s every file, bringing the server to its knees. *The* feature of CVSup was that it cached this meta data. > in addition to, SSL/TLS support for the TCP connection, the trees could be > fetched not as thousand of files, but as a couple tar files (src.tar and > ports.tar), the hashes of which could be verified before extraction. Those tar > files should be uncompressed in order to allow the rsync algorithm to work its > magic during updates. I'm not sure how that scales. Poorly unless the server can hold the file completely in memory, would be my guess. -- Christian "naddy" Weisgerber naddy@mips.inka.de
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?slrnlkvsd0.1tt8.naddy>