Date: Sun, 18 Nov 2012 15:28:28 -0500 From: "b. f." <bf1783@googlemail.com> To: Gary Palmer <gpalmer@freebsd.org> Cc: freebsd-security@freebsd.org, "M. Schulte" <m-freebsd@fuglos.org> Subject: Re: Recent security announcement and csup/cvsup? Message-ID: <CAGFTUwMrFdJPOcZx469pq_AAn6gZOuYOfpMmHyQOODg%2BAzRo4Q@mail.gmail.com> In-Reply-To: <20121118180421.GF24320@in-addr.com> References: <20121117150556.GE24320@in-addr.com> <alpine.BSF.2.00.1211171705170.32838@m.fuglos.org> <20121118180421.GF24320@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/18/12, Gary Palmer <gpalmer@freebsd.org> wrote: > On Sat, Nov 17, 2012 at 05:07:16PM +0100, M. Schulte wrote: >> Hi, >> >> > Can someone explain why the cvsup/csup infrastructure is considered >> > insecure [...] >> >> Speaking of cvsup security -- correct me if I'm wrong, but as far as I >> know cvsup is generally vulnerable to man-in-the-attacks[0]. Hence I'd >> be very happy about more and more people moving over to the portsnap >> camp. >> >> Best, >> mel >> >> [0] http://en.wikipedia.org/wiki/Portsnap >> >> http://unix.derkeiler.com/Mailing-Lists/FreeBSD/stable/2003-11/0287.html > > While I haven't investigated its protocol in detail, I would tend to > suspect > that svn is just as vulnerable as AFAIK the FreeBSD SVN servers are running > in clear text mode. And yet we are being pushed towards SVN for source > access instead of cvsup. For the base system, and for projects, you should be able to use: https://svn0.us-west.FreeBSD.org/ https://svn0.us-east.FreeBSD.org/ Unfortunately, AFAIK, the ports tree is not yet available via this interface. (You could use a script and a https client with https://svnweb.FreeBSD.org/ports , but this isn't very convenient.) > > portsnap is great if you can use the official ports tree without local > modifications. If you need to patch some ports locally (for whatever > reason) then I believe it is less helpful. cvs/svn let you update your > local > ports tree while keeping your local changes. True. There are workarounds, but they're a bit awkward. CTM+PGP is only slightly more convenient in this regard. > > In other words: while signed updates via freebsd-update and portsnap > are great for a good chunk of users, they don't address everyones needs. > b.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGFTUwMrFdJPOcZx469pq_AAn6gZOuYOfpMmHyQOODg%2BAzRo4Q>