From owner-freebsd-security@FreeBSD.ORG Mon Nov 19 01:30:25 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 35AC4656 for ; Mon, 19 Nov 2012 01:30:25 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from noop.in-addr.com (mail.in-addr.com [IPv6:2001:470:8:162::1]) by mx1.freebsd.org (Postfix) with ESMTP id F2AED8FC17 for ; Mon, 19 Nov 2012 01:30:24 +0000 (UTC) Received: from gjp by noop.in-addr.com with local (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1TaGBm-000N1m-Na; Sun, 18 Nov 2012 20:30:18 -0500 Date: Sun, 18 Nov 2012 20:30:18 -0500 From: Gary Palmer To: Chris Rees Subject: Re: Recent security announcement and csup/cvsup? Message-ID: <20121119013018.GH24320@in-addr.com> References: <20121117150556.GE24320@in-addr.com> <20121118181711.GG24320@in-addr.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on noop.in-addr.com); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2012 01:30:25 -0000 On Sun, Nov 18, 2012 at 06:26:14PM +0000, Chris Rees wrote: > On 18 November 2012 18:17, Gary Palmer wrote: > > On Sat, Nov 17, 2012 at 03:14:00PM +0000, Chris Rees wrote: > >> On 17 Nov 2012 15:06, "Gary Palmer" wrote: > >> > > >> > Hi, > >> > > >> > Can someone explain why the cvsup/csup infrastructure is considered > >> insecure > >> > if the person had access to the *package* building cluster? Is it because > >> > the leaked key also had access to something in the chain that goes to > >> cvsup, > >> > or is it because the project is not auditing the cvsup system and so the > >> > default assumption is that it cannot be trusted to not be compromised? > >> > > >> > If it is the latter, someone from the community could check rather than > >> > encourage everyone who has been using csup/cvsup to wipe and reinstall > >> > their boxes. Unfortunately the wipe option is not possible for me right > >> > now and my backups do go back to before the 19th of September > >> > >> Checks are being made, but CVS makes it slow work. > >> > >> It's incredibly unlikely that there will be a problem, but the Project has > >> to be cautious in recommendations. > > > > Thanks Chris for the update. May I politely suggest that the web page > > as I read it yesterday was more along the lines of "assume your machine is > > rooted, reinstall it". The reality is the message should have been "we > > cannot prove cvs/cvsup was not affected yet, but we are continuing to > > investigate. If you want to be really sure you weren't affected, reinstall > > from known clean media. Else wait for further updates". > > > > While I understand some people, especially the more security minded people, > > want to deprecate all access that isn't signed and secured, its no reason > > to cause people unnecessary work/panic. Plus signing is only as good as > > the security of the systems doing the builds and signing the content. > > Its just been proven that they may not be as secure as expected. > > I'm afraid that you have to do your own risk assessment-- for the > Project to recommend anything else would be irresponsible, and a major > disaster should anything turn out to be compromised several months > down the line... In order to do a risk assesment you have to have information that is lacking so far. There was nothing on the web announcement about the fact that cvs/csup was being audited, but the audit wasn't complete. I've also seen people comment that csup started working again, but there has been no word on the results of the cvs audit. I agree it is up to individual circumstances, but right now there is little information on which to base the decision Thanks, Gary P.S. Please don't take this personally Chris, I appreciate that you have been replying. However the FreeBSD Project has to start working with its users and communicating more effectively with them about this potential problem.