From owner-freebsd-security@FreeBSD.ORG Sun Nov 18 20:28:29 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B3F156F8; Sun, 18 Nov 2012 20:28:29 +0000 (UTC) (envelope-from bf1783@googlemail.com) Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by mx1.freebsd.org (Postfix) with ESMTP id 69A6B8FC1B; Sun, 18 Nov 2012 20:28:29 +0000 (UTC) Received: by mail-ie0-f182.google.com with SMTP id k10so7525046iea.13 for ; Sun, 18 Nov 2012 12:28:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=QIp9727u6USBngIiqZ6VFpr29BFrgt4LJhw9/BLoxcw=; b=f4/HvZRATHtpJNVZzVqLjOb3g1D+zWSzS9v0KutyDcreTy5T3fK17qeJFlLEGhTOSD 1diFMT0YA+DEcF4L8otfycIsqmeI9H4MdaSPL2H/GEjH7BctMS2zRDW11wPZ3pG3e0Kl G80L27QQVlb7RtANzlsqwcfoZDoQy93v65ByVs3QEBtv96dNvr196DfifSUOg59Rraav 43Jty/VIkCARvE1OTWkx7Iq+Ej6QKo7Xnh03UrGJdQkOx6UmVWIQ3FAydDYQiinvlvkt NGtOOMaa47iQuMEFC4JvCUA4MKCQWsBzvBvI07xtKXtEMackQ33OmycV0mX2hApmsT8I MnAQ== MIME-Version: 1.0 Received: by 10.50.152.137 with SMTP id uy9mr4739745igb.62.1353270508712; Sun, 18 Nov 2012 12:28:28 -0800 (PST) Received: by 10.50.88.137 with HTTP; Sun, 18 Nov 2012 12:28:28 -0800 (PST) In-Reply-To: <20121118180421.GF24320@in-addr.com> References: <20121117150556.GE24320@in-addr.com> <20121118180421.GF24320@in-addr.com> Date: Sun, 18 Nov 2012 15:28:28 -0500 Message-ID: Subject: Re: Recent security announcement and csup/cvsup? From: "b. f." To: Gary Palmer Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org, "M. Schulte" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: bf1783@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Nov 2012 20:28:29 -0000 On 11/18/12, Gary Palmer wrote: > On Sat, Nov 17, 2012 at 05:07:16PM +0100, M. Schulte wrote: >> Hi, >> >> > Can someone explain why the cvsup/csup infrastructure is considered >> > insecure [...] >> >> Speaking of cvsup security -- correct me if I'm wrong, but as far as I >> know cvsup is generally vulnerable to man-in-the-attacks[0]. Hence I'd >> be very happy about more and more people moving over to the portsnap >> camp. >> >> Best, >> mel >> >> [0] http://en.wikipedia.org/wiki/Portsnap >> >> http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2003-11/0287.html > > While I haven't investigated its protocol in detail, I would tend to > suspect > that svn is just as vulnerable as AFAIK the FreeBSD SVN servers are running > in clear text mode. And yet we are being pushed towards SVN for source > access instead of cvsup. For the base system, and for projects, you should be able to use: https://svn0.us-west.FreeBSD.org/ https://svn0.us-east.FreeBSD.org/ Unfortunately, AFAIK, the ports tree is not yet available via this interface. (You could use a script and a https client with https://svnweb.FreeBSD.org/ports , but this isn't very convenient.) > > portsnap is great if you can use the official ports tree without local > modifications. If you need to patch some ports locally (for whatever > reason) then I believe it is less helpful. cvs/svn let you update your > local > ports tree while keeping your local changes. True. There are workarounds, but they're a bit awkward. CTM+PGP is only slightly more convenient in this regard. > > In other words: while signed updates via freebsd-update and portsnap > are great for a good chunk of users, they don't address everyones needs. > b.