Date: Sun, 18 Nov 2012 18:26:14 +0000 From: Chris Rees <utisoft@gmail.com> To: Gary Palmer <gpalmer@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: Recent security announcement and csup/cvsup? Message-ID: <CADLo83-fX_FdXk3GZZQocPMaqChSkY_dgc5q1WHJgmmCSes4zw@mail.gmail.com> In-Reply-To: <20121118181711.GG24320@in-addr.com> References: <20121117150556.GE24320@in-addr.com> <CADLo83-kcQWBUXwtWka5Sd%2BsNaDFGBxZuKbDN5g5ZDOf1cuGQw@mail.gmail.com> <20121118181711.GG24320@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18 November 2012 18:17, Gary Palmer <gpalmer@freebsd.org> wrote: > On Sat, Nov 17, 2012 at 03:14:00PM +0000, Chris Rees wrote: >> On 17 Nov 2012 15:06, "Gary Palmer" <gpalmer@freebsd.org> wrote: >> > >> > Hi, >> > >> > Can someone explain why the cvsup/csup infrastructure is considered >> insecure >> > if the person had access to the *package* building cluster? Is it because >> > the leaked key also had access to something in the chain that goes to >> cvsup, >> > or is it because the project is not auditing the cvsup system and so the >> > default assumption is that it cannot be trusted to not be compromised? >> > >> > If it is the latter, someone from the community could check rather than >> > encourage everyone who has been using csup/cvsup to wipe and reinstall >> > their boxes. Unfortunately the wipe option is not possible for me right >> > now and my backups do go back to before the 19th of September >> >> Checks are being made, but CVS makes it slow work. >> >> It's incredibly unlikely that there will be a problem, but the Project has >> to be cautious in recommendations. > > Thanks Chris for the update. May I politely suggest that the web page > as I read it yesterday was more along the lines of "assume your machine is > rooted, reinstall it". The reality is the message should have been "we > cannot prove cvs/cvsup was not affected yet, but we are continuing to > investigate. If you want to be really sure you weren't affected, reinstall > from known clean media. Else wait for further updates". > > While I understand some people, especially the more security minded people, > want to deprecate all access that isn't signed and secured, its no reason > to cause people unnecessary work/panic. Plus signing is only as good as > the security of the systems doing the builds and signing the content. > Its just been proven that they may not be as secure as expected. I'm afraid that you have to do your own risk assessment-- for the Project to recommend anything else would be irresponsible, and a major disaster should anything turn out to be compromised several months down the line... Having said that, on a personal note I don't think I'll be reinstalling in a hurry, but I'm also not handling banking details etc. As I said, you have to assess your own risk :) Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADLo83-fX_FdXk3GZZQocPMaqChSkY_dgc5q1WHJgmmCSes4zw>