Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 18 Nov 2012 15:28:28 -0500
From:      "b. f." <bf1783@googlemail.com>
To:        Gary Palmer <gpalmer@freebsd.org>
Cc:        freebsd-security@freebsd.org, "M. Schulte" <m-freebsd@fuglos.org>
Subject:   Re: Recent security announcement and csup/cvsup?
Message-ID:  <CAGFTUwMrFdJPOcZx469pq_AAn6gZOuYOfpMmHyQOODg%2BAzRo4Q@mail.gmail.com>
In-Reply-To: <20121118180421.GF24320@in-addr.com>
References:  <20121117150556.GE24320@in-addr.com> <alpine.BSF.2.00.1211171705170.32838@m.fuglos.org> <20121118180421.GF24320@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 11/18/12, Gary Palmer <gpalmer@freebsd.org> wrote:
> On Sat, Nov 17, 2012 at 05:07:16PM +0100, M. Schulte wrote:
>> Hi,
>>
>> > Can someone explain why the cvsup/csup infrastructure is considered
>> > insecure [...]
>>
>> Speaking of cvsup security -- correct me if I'm wrong, but as far as I
>> know cvsup is generally vulnerable to man-in-the-attacks[0]. Hence I'd
>> be very happy about more and more people moving over to the portsnap
>> camp.
>>
>> Best,
>> mel
>>
>> [0] http://en.wikipedia.org/wiki/Portsnap
>>
>> http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2003-11/0287.html
>
> While I haven't investigated its protocol in detail, I would tend to
> suspect
> that svn is just as vulnerable as AFAIK the FreeBSD SVN servers are running
> in clear text mode.  And yet we are being pushed towards SVN for source
> access instead of cvsup.

For the base system, and for projects, you should be able to use:

https://svn0.us-west.FreeBSD.org/
https://svn0.us-east.FreeBSD.org/

Unfortunately, AFAIK, the ports tree is not yet available via this
interface. (You could use a script and a https client with
https://svnweb.FreeBSD.org/ports , but this isn't very convenient.)

>
> portsnap is great if you can use the official ports tree without local
> modifications.  If you need to patch some ports locally (for whatever
> reason) then I believe it is less helpful. cvs/svn let you update your
> local
> ports tree while keeping your local changes.

True.  There are workarounds, but they're a bit awkward. CTM+PGP is
only slightly more convenient in this regard.

>
> In other words: while signed updates via freebsd-update and portsnap
> are great for a good chunk of users, they don't address everyones needs.
>

b.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGFTUwMrFdJPOcZx469pq_AAn6gZOuYOfpMmHyQOODg%2BAzRo4Q>